This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

pthread_create leaves valid mutex pointers on the stack

Cygwin's pthread_create function leaves a pointer to the pthread object's
mutex member on the stack.

If you subsequently call pthread_mutex_init on mutex in an automatic
variable, it's possible for it to reuse this stack slot.  In this case,
pthread_mutex_init observes that the mutex object is a pointer to a valid
mutex object, and fails with EBUSY.

This program illustrates the problem, with cygwin 1.5.19-4 and gcc 3.4.4-1:

#include <pthread.h>
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>

/* expr is an expression returning 0 on success, or an errno value
 * on failure. */
#define Pth(expr) \
  do { \
	int ret; \
	if ((ret = (expr)) != 0) { \
	  errno = ret; \
	  perror(#expr); \
	  exit(1); \
	} \
  } while (0)

void* thread_function(void* arg)
  return NULL;

#define STACK_ADJUST 74

void stack_function(void)
  long adjust[STACK_ADJUST] __attribute__((__unused__));
  pthread_mutex_t mutex[4];

  Pth (pthread_mutex_init(&mutex[0], NULL));
  Pth (pthread_mutex_lock(&mutex[0]));
  Pth (pthread_mutex_unlock(&mutex[0])); 
  Pth (pthread_mutex_destroy(&mutex[0]));

int main()
  pthread_t thread;
  void *thread_ret;

  Pth (pthread_create(&thread, NULL, &thread_function, NULL));

  Pth (pthread_join(thread, &thread_ret));

  return 0;

In general, the idea of verifying objects on their init functions seems
dubious to me -- how can you tell initialized objects from random stack or
heap garbage?  In particular, it seems like this is an area where an
attacker could potentially cause odd effects by causing the pthread objects'
magic numbers to be written to the stack or heap in memory that is
subsequently re-used.

Jonathan Lennox
lennox at cs dot columbia dot edu

Unsubscribe info:
Problem reports:

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]