tlibthread: fix use after free of first thread in each proc - plan9port - [fork] Plan 9 from user space
(HTM) git clone git://src.adamsgaard.dk/plan9port
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 2991442aef1cf020ffde43673433ee97ef322a53
(DIR) parent a012d174336358f997ddcb0099c0b01499b053e4
(HTM) Author: Russ Cox <rsc@swtch.com>
Date: Tue, 15 Dec 2020 00:05:17 -0500
libthread: fix use after free of first thread in each proc
This was causing sporadic but frequent crashes at startup
in 9pserve on the new M1 Macs, correctly diagnosing a
use-after-free.
Diffstat:
M src/libthread/thread.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
---
(DIR) diff --git a/src/libthread/thread.c b/src/libthread/thread.c
t@@ -411,7 +411,14 @@ Top:
p->nthread--;
/*print("nthread %d\n", p->nthread); */
_threadstkfree(t->stk, t->stksize);
- free(t);
+ /*
+ * Cannot free p->thread0 yet: it is used for the
+ * context switches back to the scheduler.
+ * Instead, we will free it at the end of this function.
+ * But all the other threads can be freed now.
+ */
+ if(t != p->thread0)
+ free(t);
}
for(;;){
t@@ -490,6 +497,7 @@ Out:
unlock(&threadnproclock);
unlock(&p->lock);
_threadsetproc(nil);
+ free(p->thread0);
free(p);
_threadpexit();
}