[Libguestfs] [PATCH nbdkit] wrapper: Set MALLOC_CHECK=1 and MALLOC_PERTURB_ (randomly).
Eric Blake
eblake at redhat.com
Mon Mar 18 17:29:02 UTC 2019
On 3/18/19 11:59 AM, Richard W.M. Jones wrote:
> This is a cheap way to find some use-after-free and uninitialized read
> problems when using glibc.
>
> This in fact reveals a race during filter shutdown (which this
> commit does not fix):
>
> Thread 2 (Thread 0x7f1caaa5ffc0 (LWP 7223)):
> #0 0x00007f1cab0a05f8 in pthread_rwlock_wrlock () from /lib64/libpthread.so.0
> #1 0x0000000000408842 in lock_unload () at locks.c:97
> #2 0x00000000004066ff in filter_free (b=0x203c330) at filters.c:77
Do we need some sort of pthread_join() in filter_free() to allow...
> #3 0x000000000040a6f4 in main (argc=11, argv=0x7ffc1f4486e8) at main.c:649
>
> Thread 1 (Thread 0x7f1caaa5e700 (LWP 7226)):
> #0 0x000000000040732a in filter_finalize (b=0x203c330, conn=0x203d870)
> at filters.c:421
...filter_finalize() time to finish its job? But I agree that solving
the race is an independent patch.
> #1 0x0000000000404d07 in _handle_single_connection (sockin=6, sockout=6)
> at connections.c:239
> #2 0x0000000000404d76 in handle_single_connection (sockin=6, sockout=6)
> at connections.c:258
> #3 0x00000000004119f6 in start_thread (datav=0x203b450) at sockets.c:263
> #4 0x00007f1cab09b5a2 in start_thread () from /lib64/libpthread.so.0
> #5 0x00007f1caafc85c3 in clone () from /lib64/libc.so.6
>
> What's happening here is that the filter / plugin chain is freed by
> Thread 2, while Thread 1 is calling filter->finalize. At this point
> filter->finalize points to freed memory, but "normally" this would
> still contain the correct function pointer. However when
> MALLOC_PERTURB_ is set the function pointer is overwritten with the
> non-zero dead memory pattern which we then attempt to call, causing a
> segfault (in Thread 1).
> ---
> wrapper.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
I like that it makes in-tree testing more robust, without penalizing
release builds.
ACK.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20190318/a51edceb/attachment.sig>
More information about the Libguestfs
mailing list