From 1efc8eb2c7eda7664232ef0292b7283adf0db114 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Tue, 29 Sep 2020 18:42:05 -0400 Subject: fix stale lock when allocation of ctor queue fails during dlopen queue_ctors should not be called with the init_fini_lock held, since it may longjmp out on allocation failure. this introduces a minor TOCTOU race with p->constructed, but one already exists further down anyway, and by design it's okay to run through the queue more than once anyway. the only reason we bother to check p->constructed at all is to avoid spurious failure of dlopen when the library is already fully loaded and constructed. --- ldso/dynlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ldso') diff --git a/ldso/dynlink.c b/ldso/dynlink.c index f7474743..15e9e4f9 100644 --- a/ldso/dynlink.c +++ b/ldso/dynlink.c @@ -2055,8 +2055,9 @@ void *dlopen(const char *file, int mode) load_deps(p); extend_bfs_deps(p); pthread_mutex_lock(&init_fini_lock); - if (!p->constructed) ctor_queue = queue_ctors(p); + int constructed = p->constructed; pthread_mutex_unlock(&init_fini_lock); + if (!constructed) ctor_queue = queue_ctors(p); if (!p->relocated && (mode & RTLD_LAZY)) { prepare_lazy(p); for (i=0; p->deps[i]; i++) -- cgit v1.2.1