This is the mail archive of the
libffi-discuss@sourceware.org
mailing list for the libffi project.
bug in libffi with selinux and a fork
- From: Victor Stinner <victor dot stinner at haypocalc dot com>
- To: libffi-discuss at sources dot redhat dot com
- Date: Tue, 27 Oct 2009 13:31:39 +0100
- Subject: bug in libffi with selinux and a fork
Hi,
I found a bug in libffi using the Python module ctypes. strace output:
-------
statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0,
f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255,
f_frsize=4096}) = 0
gettimeofday({1256588283, 889671}, NULL) = 0
open("/tmp/ffijhzWrH", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
unlink("/tmp/ffijhzWrH") = 0
ftruncate(3, 4096) = 0
mmap2(NULL, 4096, PROT_READ|PROT_EXEC, MAP_SHARED, 3, 0) = 0xc41000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 3, 0) = 0xb7c7d000
-------
The problem is that the memory mapping used for the callback (closure) is
shared. In my example (see attached file), the callback is destroyed in a
child process, and then is broken in the parent.
I found this bug on Python 2.6.2 and Fedora 12 (Beta).
Please CC-me to your answer.
--
Victor Stinner
http://www.haypocalc.com/
from os import fork, waitpid
from _ctypes import FUNCFLAG_CDECL, FUNCFLAG_PYTHONAPI, CFuncPtr
class CFunctionType(CFuncPtr):
_argtypes_ = tuple()
_restype_ = None
_flags_ = FUNCFLAG_CDECL | FUNCFLAG_PYTHONAPI
def display_error():
pass
# create a shared mmap of the closure context for SELinux
callback = CFunctionType(display_error)
pid = fork()
if not pid:
# destroy the shared context
callback = None
exit(0)
pid, status = waitpid(pid, 0)
# destroy the shared context
# but it's already destroyed by the child => crash
callback = None