fix race condition in pthread_kill

if thread id was reused by the kernel between the time pthread_kill
read it from the userspace pthread_t object and the time of the tgkill
syscall, a signal could be sent to the wrong thread. the tgkill
syscall was supposed to prevent this race (versus the old tkill
syscall) but it can't; it can only help in the case where the tid is
reused in a different process, but not when the tid is reused in the
same process.

the only solution i can see is an extra lock to prevent threads from
exiting while another thread is trying to pthread_kill them. it should
be very very cheap in the non-contended case.

3 files changed, 8 insertions, 1 deletions

diff --git a/src/internal/pthread_impl.h b/src/internal/pthread_impl.h
index 12f8ccfc..2089c857 100644
--- a/src/internal/pthread_impl.h
+++ b/src/internal/pthread_impl.h
@@ -46,6 +46,7 @@ struct pthread {
 	int unblock_cancel;
 	int delete_timer;
 	locale_t locale;
+	int killlock;
 };
 
 struct __timer {
diff --git a/src/thread/pthread_create.c b/src/thread/pthread_create.c
index c856c581..d60c2a4d 100644
--- a/src/thread/pthread_create.c
+++ b/src/thread/pthread_create.c
@@ -27,7 +27,9 @@ void __pthread_unwind_next(struct __ptcb *cb)
 	__lock(&self->exitlock);
 
 	/* Mark this thread dead before decrementing count */
+	__lock(&self->killlock);
 	self->dead = 1;
+	a_store(&self->killlock, 0);
 
 	do n = libc.threads_minus_1;
 	while (n && a_cas(&libc.threads_minus_1, n, n-1)!=n);
diff --git a/src/thread/pthread_kill.c b/src/thread/pthread_kill.c
index 36e9b6da..a24ecc20 100644
--- a/src/thread/pthread_kill.c
+++ b/src/thread/pthread_kill.c
@@ -2,5 +2,9 @@
 
 int pthread_kill(pthread_t t, int sig)
 {
-	return -__syscall(SYS_tgkill, t->pid, t->tid, sig);
+	int r;
+	__lock(&t->killlock);
+	r = t->dead ? ESRCH : -__syscall(SYS_tgkill, t->pid, t->tid, sig);
+	a_store(&t->killlock, 0);
+	return r;
 }