This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: tty_list::terminate() tty_master NULL pointer deference

On Dec 13 21:54, Conrad W Song wrote:
> There is a race/bug between ?tty_list::allocate_tty()? and
> ?tty_list::terminate()?.? The cuprits appear to be:
> 1) ?tty_list::terminate? does not hold the ?tty_mutex? before freeing a tty
> 2) ?tty::init()? does not clear ?master_pid? field as called by
> ?tty_list::terminate()?.
> The result is that ?allocate_tty()? can enter quickly reusing the same PID
> as the process which used to own the master tty (for some reason Windows
> decides to recycle PIDs very quickly).? The process thinks that it is
> holding the master tty (even though the _prior_ process was terminated --
> same PID but different process), and ?tty_master? remains NULL.? Upon
> ?tty_list::terminate?, ?tty_master? is then NULL dereferenced.
> I have tried fixing 'tty::init()' to zero out the 'master_pid' field, and it
> appears to solve the problem (have not checked it for other bad behavior),
> as does the workaround of using ?CYGWIN=notty?.? However, I do not believe
> that the back-to-back PID reuse is timing sensitive, so I am surprised that
> strace could not pick up the problem.  I therefore suspect a flaw in my
> analysis and am still suspicious about the need for 'tty_mutex' locking in
> 'tty_list::terminate'.? I will try to provide a reproducing test case soon.

Thanks for your analysis!  I've applied a matching patch.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader
Red Hat, Inc.

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]