olga / rpms / glibc

Forked from rpms/glibc 5 years ago
Clone
ce426f
commit b3a810d0d3d5c6ce7ddfb61321cd7971808ca703
ce426f
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
ce426f
Date:   Tue May 17 10:45:48 2016 +0200
ce426f
ce426f
    Fix tst-cancel17/tst-cancelx17, which sometimes segfaults while exiting.
ce426f
    
ce426f
    The testcase tst-cancel[x]17 ends sometimes with a segmentation fault.
ce426f
    This happens in one of 10000 cases. Then the real testcase has already
ce426f
    exited with success and returned from do_test(). The segmentation fault
ce426f
    occurs after returning from main in _dl_fini().
ce426f
    
ce426f
    In those cases, the aio_read(&a) was not canceled because the read
ce426f
    request was already in progress. In the meanwhile aio_write(ap) wrote
ce426f
    something to the pipe and the read request is able to read the
ce426f
    requested byte.
ce426f
    The read request hasn't finished before returning from do_test().
ce426f
    After it finishes, it writes the return value and error code from the
ce426f
    read syscall to the struct aiocb a, which lies on the stack of do_test.
ce426f
    The stack of the subsequent function call of _dl_fini or _dl_sort_fini,
ce426f
    which is inlined in _dl_fini is corrupted.
ce426f
    
ce426f
    In case of S390, it reads a zero and decrements it by 1:
ce426f
    unsigned int k = nmaps - 1;
ce426f
    struct link_map **runp = maps[k]->l_initfini;
ce426f
    The load from unmapped memory leads to the segmentation fault.
ce426f
    The stack corruption also happens on other architectures.
ce426f
    I saw them e.g. on x86 and ppc, too.
ce426f
    
ce426f
    This patch adds an aio_suspend call to ensure, that the read request
ce426f
    is finished before returning from do_test().
ce426f
    
ce426f
    ChangeLog:
ce426f
    
ce426f
    	* nptl/tst-cancel17.c (do_test): Wait for finishing aio_read(&a).
ce426f
ce426f
diff --git a/nptl/tst-cancel17.c b/nptl/tst-cancel17.c
ce426f
index fb89292..eedd28e 100644
ce426f
--- a/nptl/tst-cancel17.c
ce426f
+++ b/nptl/tst-cancel17.c
ce426f
@@ -333,6 +333,22 @@ do_test (void)
ce426f
 
ce426f
   puts ("early cancellation succeeded");
ce426f
 
ce426f
+  if (ap == &a2)
ce426f
+    {
ce426f
+      /* The aio_read(&a) was not canceled because the read request was
ce426f
+	 already in progress. In the meanwhile aio_write(ap) wrote something
ce426f
+	 to the pipe and the read request either has already been finished or
ce426f
+	 is able to read the requested byte.
ce426f
+	 Wait for the read request before returning from this function because
ce426f
+	 the return value and error code from the read syscall will be written
ce426f
+	 to the struct aiocb a, which lies on the stack of this function.
ce426f
+	 Otherwise the stack from subsequent function calls - e.g. _dl_fini -
ce426f
+	 will be corrupted, which can lead to undefined behaviour like a
ce426f
+	 segmentation fault.  */
ce426f
+      const struct aiocb *l[1] = { &a };
ce426f
+      TEMP_FAILURE_RETRY (aio_suspend(l, 1, NULL));
ce426f
+    }
ce426f
+
ce426f
   return 0;
ce426f
 }
ce426f