X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org ED96A3858018
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1642417343;
	bh=cVtBh+bZaggM/wfpbZ9FI2+hUChAHzUZpygKMLapghw=;
	h=Date:From:To:Subject:References:In-Reply-To:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 Reply-To:From;
	b=O/jRI+lgJ7w7vzMhxZo5moKRI8gUYrf5XO/UG+dZy4houVRFL/UQKcLHB6d3PEk9i
	 beLgznJRZXRY0uY4fLmZOcKEgA1OO/EomlSxba9ztDtSY2aVdPsOXKK2i5gsXtm2Nv
	 jN6ZMaa5uwPdCgtjJYVUYpp2KWrgScwVHOgVwOqY=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0CA843858417
Authentication-Results: sourceware.org;
 dmarc=fail (p=none dis=none) header.from=cygwin.com
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=cygwin.com
Date: Mon, 17 Jan 2022 12:01:51 +0100
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Segmentation fault due to double free for archetype.
Message-ID: <YeVMn4MIgG+6T01I@calimero.vinschen.de>
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20220115192030 DOT de26356820d839eec3227e70 AT nifty DOT ne DOT jp>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20220115192030.de26356820d839eec3227e70@nifty.ne.jp>
X-Provags-ID: V03:K1:IlY45USrzWrrbbcJJkmB03fQT7SM1mu/8vZlVx2eyBLd1kuLa8F
 jOBl03qGy5Jt2uX6NUeZl3FbgqFRS8ZKLkmTaLI4nTrvjtoFfX1tYm1ylal1sFvT/0yB806
 yFbB16RAxpXnBtQaAL4OIE7Yt5wC7urXvyccVhHpo7vTDazn4zUKTjj6cRhXRZf5DjTSzXq
 Wjo90rzlU+GktpE+6t/fA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:HfhA6//bZS0=:u7blqe3xGhPVlqfsqeWFiw
 nT5Ydiv92ySaWujR3X880dcApT7QhXKG9/JM/lkE83OtV/EKSwDGGNmrD5WM2pQaPMDAs8bAq
 LVM8IlV8cu2WRH18iHsHkuYdfi9JKf6V5Sap0C+J4Op4oJxp8PwG9fq5IioumrpL0GmUtg3Le
 Fe/R288bjQOp3PV11U08wQeKOF+ncqmDorQdkX2YGjCSDHlx51e9fU0bPn+TmNl/2mzFmy/ba
 3qEbJSb4nrBetbdDsALeWGLfg4U9nNYbtCd9PNQ8qtATxR+AiAyjchid5QQ+0amrZBNT+VxrI
 v79pGuKbMudfRLUvyyFxEedlcxVbJTy21kqnEgPEGQ/XfdLg48W9makY9JQLG7ciWl4Z56AUr
 b7+fQaQlAeY8/uO3xQ3/lhEbIF8T87qkvP3kg+NhYkkwPo+7JlF0ORjdbAPIaifLLrQW8GXUb
 4MJ7IKxbZuaYkic0DsOEBzTOQbZbj+jHr2RKiIIwLwzWewHVF21VIjA6Zwl+WM/5L9NphDmB0
 mbrOV1yVgcdKXubLWgBjBifZ3+Q/6mu4vzuuhLgl8KxvZskAlj7M1NTi/ztDkkjoKU7SaJE8W
 EqyMWgi9xar+5tgUQtkjrGYjxQGGtSceQfLtFz1QBPYuhC+Q8CNayearDdbNrzNT2r1vunCds
 g098+ZKJAVQzxFo3rFN1471mjORQ+9dWzU97UV0EwQ58iXgcaIF6l0lbEJR1w2MaVcqyWW2Ok
 5mFPnkDULWuSeNli
X-Spam-Status: No, score=-101.7 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 GOOD_FROM_CORINNA_CYGWIN, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_FAIL, SPF_HELO_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
Reply-To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

On Jan 15 19:20, Takashi Yano wrote:
> Hi,
> 
> I found the following test case causes segmentation fault
> in 32 bit cygwin.
> [...]
> I looked into this problem and found that this is due to
> free'ing archetype which was already free'ed by _cfree().
> 
> The mechanism of the problem is:
> 1) archetype is added to archetypes[] at line 675 in dtable.cc
>    when trying to open pty.
> 2) Opening pty fails because too many ptys are opened.
> 3) archetype is deleted at line 444 in fhandler.cc.
> 4) archetype is copied from archetypes[] at line 659 in dtable.cc
>    which is already free'ed in step 3) when trying to open pty again.
> 5) Opening pty fails again.
> 6) archetype which was already free'ed in step 3) is deleted at
>    line 444 in fhandler.cc.
> 
> I am not sure why this does not happen in 64 bit cygwin.
> I guess double free does not cause segfault by chance in
> 64 bit cygwin.
> 
> I also found the following patch fixes the issue. Is this the
> right thing?
> 
> diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc
> index fc7c0422e..e51208117 100644
> --- a/winsup/cygwin/fhandler.cc
> +++ b/winsup/cygwin/fhandler.cc
> @@ -441,7 +441,7 @@ fhandler_base::open_with_arch (int flags, mode_t mode)
>  	|| open (flags, mode & 07777)))
>      {
>        if (archetype)
> -	delete archetype;
> +	cygheap->fdtab.delete_archetype (archetype);
>      }
>    else if (archetype)
>      {

Good catch!  I think this is basically ok, but you have to check the
usecount, i. e.

  if (archetype && archetype_usecount (-1) == 0)
    cygheap->fdtab.delete_archetype (archetype);

Does that sound right?


Corinna

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple