From c1e27367a9b26b9baac0f37a12349fc36567c8b6 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Fri, 13 Oct 2017 23:00:34 -0400 Subject: fix read-after-free type error in pthread_detach calling __unlock on t->exitlock is not valid because __unlock reads the waiters count after making the atomic store that could allow pthread_exit to continue and unmap the thread's stack and the object t points to. for now, inline the __unlock logic with an unconditional futex wake operation so that the waiters count is not needed. once __lock/__unlock have been made safe for self-synchronized destruction, we could switch back to using them. --- src/thread/pthread_detach.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/thread/pthread_detach.c') diff --git a/src/thread/pthread_detach.c b/src/thread/pthread_detach.c index ed77f74d..13482607 100644 --- a/src/thread/pthread_detach.c +++ b/src/thread/pthread_detach.c @@ -9,7 +9,8 @@ static int __pthread_detach(pthread_t t) if (a_swap(t->exitlock, 1)) return __pthread_join(t, 0); t->detached = 2; - __unlock(t->exitlock); + a_store(t->exitlock, 0); + __wake(t->exitlock, 1, 1); return 0; } -- cgit v1.2.1