This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug nscd/9746] New: nscd cache corruption by garbage collection, leading to segfault and/or stack overrun
- From: "j-nomura at ce dot jp dot nec dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 15 Jan 2009 05:32:10 -0000
- Subject: [Bug nscd/9746] New: nscd cache corruption by garbage collection, leading to segfault and/or stack overrun
- Reply-to: sourceware-bugzilla at sourceware dot org
The garbage collection function, gc(), may free or move memory areas
which are allocated from the pool but not yet added to the cache db.
That leads to the database corruption.
Later cache-lookup might cause segfault by out-of-range access.
Also, later gc may try to set the bitmap looking at the corrupted
cache entry and overwriting other data on the stack.
thread 1 (adding cache) thread 2 (doing gc)
--------------------------------------------------------------
data = mempool_alloc
set the contents of 'data'
write-lock db
mark areas referenced from cache entries
move them onto unmarked areas
write-unlock db
read-lock db
cache_add(data)
read-unlock db
The repository HEAD has a change involving mem_in_flight, which is
to record such areas so that gc() can mark them as 'used' and avoid
freeing them.
However, gc() may still move such areas.
While the areas are moved, the user of the area still refers to the
old location and would corrupt the memory.
It might be possible to fix gc() not to move the in-flight area.
But as such areas are likely at the tail of the target memory range of gc
and not moving them doesn't make much sense as it doesn't reclaim usable
areas.
The attached patch is to protect the allocate/set/add-cache operation
from gc.
thread 1 (adding cache) thread 2 (doing gc)
--------------------------------------------------------------
read-lock db
data = mempool_alloc
set the contents of 'data'
cache_add(data)
read-unlock db
write-lock db
mark areas referenced from cache entries
move them onto unmarked areas
write-unlock db
The problem can be reproducible with the test program attached to
the Bugzilla 9741.
--
Summary: nscd cache corruption by garbage collection, leading to
segfault and/or stack overrun
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: nscd
AssignedTo: drepper at redhat dot com
ReportedBy: j-nomura at ce dot jp dot nec dot com
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=9746
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.