| commit b805aebd42364fe696e417808a700fdb9800c9e8 |
| Author: Nikita Popov <npv1310@gmail.com> |
| Date: Mon Aug 9 20:17:34 2021 +0530 |
| |
| librt: fix NULL pointer dereference (bug 28213) |
| |
| Helper thread frees copied attribute on NOTIFY_REMOVED message |
| received from the OS kernel. Unfortunately, it fails to check whether |
| copied attribute actually exists (data.attr != NULL). This worked |
| earlier because free() checks passed pointer before actually |
| attempting to release corresponding memory. But |
| __pthread_attr_destroy assumes pointer is not NULL. |
| |
| So passing NULL pointer to __pthread_attr_destroy will result in |
| segmentation fault. This scenario is possible if |
| notification->sigev_notify_attributes == NULL (which means default |
| thread attributes should be used). |
| |
| Signed-off-by: Nikita Popov <npv1310@gmail.com> |
| Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> |
| |
| diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c |
| index 45449571d14c379f..581959d621135fb0 100644 |
| |
| |
| @@ -134,7 +134,7 @@ helper_thread (void *arg) |
| to wait until it is done with it. */ |
| (void) __pthread_barrier_wait (¬ify_barrier); |
| } |
| - else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) |
| + else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL) |
| { |
| /* The only state we keep is the copy of the thread attributes. */ |
| pthread_attr_destroy (data.attr); |