Bug#75163: marked as done (libc6: race condition with getenv() in multi-threaded program)
Debian Bug Tracking System
with message-id <E14EGVv-...@auric.debian.org>
and subject line Bug#75163: fixed in glibc 2.2-9
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Oct 2000 16:30:16 +0000
From may...@tao-group.com Thu Oct 19 11:30:16 2000
Return-path: <may...@tao-group.com>
Received: from tele2-gw.tao-group.com (gate.tao-group.com) [::ffff:212.19.67.123]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 13mIa6-0002Oe-00; Thu, 19 Oct 2000 11:30:14 -0500
Received: from zircon.tao.co.uk (zircon.tao.co.uk [172.16.100.118])
by gate.tao-group.com (8.9.3/8.9.3) with ESMTP id RAA30738
for <sub...@bugs.debian.org>; Thu, 19 Oct 2000 17:30:12 +0100
Received: from localhost (zircon.tao.co.uk) [127.0.0.1] (maydell)
by zircon.tao.co.uk with esmtp (Exim 3.12 #1 (Debian))
id 13mIa2-00057H-00; Thu, 19 Oct 2000 17:30:10 +0100
To: sub...@bugs.debian.org
Subject: libc6: race condition with getenv() in multi-threaded program
Date: Thu, 19 Oct 2000 17:30:10 +0100
From: Peter Maydell <may...@tao-group.com>
Message-Id: <E13mIa2-...@zircon.tao.co.uk>
Delivered-To: sub...@bugs.debian.org
Package: libc6
Version: 2.1.95-1
Due to insufficient locking in the implementation of getenv() there is a race
condition which can lead to access to invalid memory in a multi-threaded
program, where one thread is altering the environment while another tries to
access it.
I enclose a simple test program which is linked against electric fence in
order to catch the invalid access:
===== begin =====
/* compile program with:
* cc -Wall -W -g -o envtest envtest.c -lpthread -lefence
*/
#include <pthread.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
static void* thread_start (void* not_used)
{
fprintf(stderr, "child thread started\n");
for(;;)
{
char *env = getenv("X");
}
/* NEVER GETS HERE */
}
int main(void)
{
void* child_thread_retval ;
pthread_t child_thread ;
fprintf(stderr, "Main started\n");
if (pthread_create( &child_thread, NULL, thread_start, NULL)!= 0)
{
perror("Could not start child thread");
exit(1);
}
fprintf(stderr, "Child thread created\n");
for(;;)
{
putenv("X=Y");
clearenv();
}
/* NEVER GETS HERE */
return 0;
}
===== endit =====
You can demonstrate the problem as follows:
===== begin =====
chroot-zircon# cc -Wall -W -g -o envtest envtest.c -lpthread -lefence
envtest.c: In function `thread_start':
envtest.c:13: warning: unused variable `env'
envtest.c:8: warning: unused parameter `not_used'
envtest.c: In function `main':
envtest.c:21: warning: unused variable `child_thread_retval'
chroot-zircon# gdb envtest
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(gdb) run
Starting program: /tmp/envtest
[New Thread 1024 (LWP 19644)]
Main started
Electric Fence 2.0.5 Copyright (C) 1987-1998 Bruce Perens.
[New Thread 2049 (LWP 19645)]
[New Thread 1026 (LWP 19646)]
Child thread created
child thread started
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1026 (LWP 19646)]
0x40060b05 in getenv () from /lib/libc.so.6
(gdb) bt
#0 0x40060b05 in getenv () from /lib/libc.so.6
#1 0x804870d in thread_start (not_used=0x0) at envtest.c:13
#2 0x4001fcc5 in pthread_start_thread () from /lib/libpthread.so.0
#3 0x4001fd0d in pthread_start_thread_event () from /lib/libpthread.so.0
===== endit =====
The segfault occurs because getenv() is attempting to access an environment
array which the other thread has just freed. Note that this problem also
occurs in the version of libc6 in potato.
The fix should be fairly easy: just add locking around getenv().
Peter Maydell
---------------------------------------
Received: (at 75163-close) by bugs.debian.org; 4 Jan 2001 20:04:04 +0000
From tr...@auric.debian.org Thu Jan 04 14:04:03 2001
Return-path: <tr...@auric.debian.org>
Received: from auric.debian.org [206.246.226.45] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 14EGcE-0002dC-00; Thu, 04 Jan 2001 14:04:03 -0600
Received: from troup by auric.debian.org with local (Exim 3.12 1 (Debian))
id 14EGVv-00058p-00; Thu, 04 Jan 2001 14:57:31 -0500
From: Ben Collins <bcol...@debian.org>
To: 75163...@bugs.debian.org
Subject: Bug#75163: fixed in glibc 2.2-9
Message-Id: <E14EGVv-...@auric.debian.org>
Sender: James Troup <tr...@auric.debian.org>
Date: Thu, 04 Jan 2001 14:57:31 -0500
Delivered-To: 75163...@bugs.debian.org
We believe that the bug you reported is fixed in the latest version of
glibc, which has been installed in the Debian FTP archive:
libc6-pic_2.2-9_powerpc.deb
to pool/main/g/glibc/libc6-pic_2.2-9_powerpc.deb
libc6-pic_2.2-9_i386.deb
to pool/main/g/glibc/libc6-pic_2.2-9_i386.deb
libc6-dbg_2.2-9_i386.deb
to pool/main/g/glibc/libc6-dbg_2.2-9_i386.deb
libc6-i686_2.2-9_i386.deb
to pool/main/g/glibc/libc6-i686_2.2-9_i386.deb
libc6_2.2-9_sparc.deb
to pool/main/g/glibc/libc6_2.2-9_sparc.deb
nscd_2.2-9_i386.deb
to pool/main/g/glibc/nscd_2.2-9_i386.deb
libc6-dbg_2.2-9_sparc.deb
to pool/main/g/glibc/libc6-dbg_2.2-9_sparc.deb
libc6-i586_2.2-9_i386.deb
to pool/main/g/glibc/libc6-i586_2.2-9_i386.deb
libc6-v9_2.2-9_sparc.deb
to pool/main/g/glibc/libc6-v9_2.2-9_sparc.deb
libc6-prof_2.2-9_i386.deb
to pool/main/g/glibc/libc6-prof_2.2-9_i386.deb
libc6-dev_2.2-9_powerpc.deb
to pool/main/g/glibc/libc6-dev_2.2-9_powerpc.deb
libc6-prof_2.2-9_powerpc.deb
to pool/main/g/glibc/libc6-prof_2.2-9_powerpc.deb
glibc_2.2-9.dsc
to pool/main/g/glibc/glibc_2.2-9.dsc
glibc_2.2-9.diff.gz
to pool/main/g/glibc/glibc_2.2-9.diff.gz
glibc-doc_2.2-9_all.deb
to pool/main/g/glibc/glibc-doc_2.2-9_all.deb
nscd_2.2-9_sparc.deb
to pool/main/g/glibc/nscd_2.2-9_sparc.deb
libc6-dev_2.2-9_sparc.deb
to pool/main/g/glibc/libc6-dev_2.2-9_sparc.deb
libc6-prof_2.2-9_sparc.deb
to pool/main/g/glibc/libc6-prof_2.2-9_sparc.deb
locales_2.2-9_all.deb
to pool/main/g/glibc/locales_2.2-9_all.deb
nscd_2.2-9_powerpc.deb
to pool/main/g/glibc/nscd_2.2-9_powerpc.deb
i18ndata_2.2-9_all.deb
to pool/main/g/glibc/i18ndata_2.2-9_all.deb
libc6-pic_2.2-9_sparc.deb
to pool/main/g/glibc/libc6-pic_2.2-9_sparc.deb
libc6-dev_2.2-9_i386.deb
to pool/main/g/glibc/libc6-dev_2.2-9_i386.deb
libc6-dbg_2.2-9_powerpc.deb
to pool/main/g/glibc/libc6-dbg_2.2-9_powerpc.deb
libc6_2.2-9_i386.deb
to pool/main/g/glibc/libc6_2.2-9_i386.deb
libc6_2.2-9_powerpc.deb
to pool/main/g/glibc/libc6_2.2-9_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 75...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Collins <bcol...@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpm...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 2 Jan 2001 20:22:11 -0500
Source: glibc
Binary: locales libc0.2-dbg glibc-doc nscd libc6-i586 libc6.1-dbg libc6-i686 libc0.2 libc6-dbg libc6-v9 libc0.2-prof libc6.1 libc6 libc0.2-pic libc6.1-prof libc6-prof libc0.2-dev libc6.1-pic libc6-pic i18ndata libc6.1-dev libc6-dev
Architecture: source all sparc i386 powerpc
Version: 2.2-9
Distribution: unstable
Urgency: low
Maintainer: Ben Collins <bcol...@debian.org>
Changed-By: Ben Collins <bcol...@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
i18ndata - GNU C Library: National Language (locale) data [source]
libc6 - GNU C Library: Shared libraries and Timezone data
libc6-dbg - GNU C Library: Libraries with debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files.
libc6-pic - GNU C Library: PIC archive library
libc6-prof - GNU C Library: Profiling Libraries.
libc6-v9 - GNU C Library: Shared libraries [v9 optimized]
locales - GNU C Library: National Language (locale) data [support]
nscd - GNU C Library: Name Service Cache Daemon
Closes: 11560 14093 21676 35035 35731 35875 36030 36775 38742 38998 48705 50672 51877 52222 55578 58606 60960 67921 68510 68918 69045 69278 71060 72095 72663 73003 74345 75163 77312 77791 78656 80991
Changes:
glibc (2.2-9) unstable; urgency=low
.
* CVS synced as of 2001-01-03. Happy freaking new year.
* Remove FAKEROOT check, since we don't build locales now, we don't have
to worry about it.
* dlfcn/dlerror.c: dlerror(): Check for result->errstring being NULL,
closes: #80991
* No offense, but I cannot be expected to debug fortran programs
compiled with a commercial(?), non-GNU compiler. Talk to them about
getting it to work. As for the "works on RH, but not Debian", most
likely that didn't do anything to make it very portable. closes: #68510
* Tested with current NIS, and the test cases passes with no open fd's.
closes: #52222
* Make note of AMD in libc6-i[56]86 descriptions. closes: #77791
* Make note about some commercial programs not liking our optimized
libraries (IBM JDK for one). closes: #78656
NOTE: To the submitter of this bugreport, I'm pretty sure the JDK
relies on frame-pointer to handle some special ass-backwards stuff,
which wont work with these libraries since they are compiled without
frame-pointer (making it hard to strace, and debug using these libs).
* Yes, semget(2) refers to SEMMSL, but nothing I can find says it should
be defined in userspace. closes: #11560
* This patch only applies to kernel-headers, and since they don't need
to be used in userspace, it's ok to have some oddities, closes: #55578
* I was able to write an 90 byte "Hello World" .c, and compile it into
an 800 byte static binary using -nostdlib and -Wl,-lc. closes: #21676
* Making an ar archive from one .o is just silly, closes: #58606
* Patch sent upstream. Might change a bit, but the result should be the
same, closes: #73003
* I believe the reason the .pwd.lock file remains is to avoid a race
condition, where something might be waiting for the lock, and
unlinking it would cause something else to be able to obtain the lock,
even though it isn't available. closes: #14093
* I tried to reproduce this, but glob kept working right for me. I think
the user is misusing the function. Most likely they are passing the
glob on the command line, which is in turn doing some escape
processing, and not working right with glob() itself. closes: #67921
* In Debian, locales are not required to be installed. closes: #35875
* Could not reproduce in the latest glibc. Upstream seems to have fixed
this. closes: #75163
* Bug report log says this is fixed in glibc 2.1.1, closes: #36775
* I think this was an issue with the gcc-2.95 compiler defaulting to
486 instruction sets. This was fixed by gcc some time ago. closes:
#38998
* The "order" directive in host.conf is supposed to be a space seperated
list of sources, not comma. This is a bug in host.conf(5), which has
already been reported. I'm closing this one to avoid duplication.
closes: #35731
* Appears to be related to #36775, but I checked the test case anyway,
and it worked as expected. closes: #35035
* I tried the test program, and it worked fine. So either guile or glibc
fixed the bug already. closes: #36030
* The locales package is not referenced by any other package ATM.
closes: #38742
* Symlink /usr/share/zoneinfo/localtime to /etc/localtime for libc5
compat. closes: #48705
* SUSv2 defines putenv as "int putenv(char *)", closes: #60960
* From my understanding of of the SUSv2 definition, the pointer
reference of inbuf may be incremented to the current position of
translation. So in actuality, the object is not const. GLibc
interprets this using the __restrict compiler option (defined in gcc's
later than 2.92, e.g. egcs 1.1.2, and gcc 2.95). closes: #77312
* Fixed ambiguity problem in tzconfig, closes: #69045
* This was a netscape/libc5/plugin issue, closes: #50672
* User error. He is setting all of the fd's in the pollfd struct to -1,
which returns POLLNVAL, which is the expected response. closes: #51877
* objstack_* does use const definitions now, closes: #68918
* This was the old xmms-segv's-on-exit bug, fixed by glibc 2.1.9X (can't
remember which version exactly). closes: #74345
* leading zero makes sscanf determine the number as an octal, closes:
#69278
* zic.8: zdump is section 1, not 8. closes: #72095
* Old libdb2 upgrade issue, fixed in during the 2.1.9x uploads. closes:
#72663
* Update this changelog to include the revisions from the stable (potato)
updates.
* Patch sent upstream. Fixes timezone showing up as "/etc/localtime".
closes: #71060
Files:
d6713baf156f470f0863352fff98d2ba 1080 libs required glibc_2.2-9.dsc
c48bcc51b897b61513721969942f36ff 629071 libs required glibc_2.2-9.diff.gz
4891921f447b03283ff76bc79e9ae529 3416394 base required libc6_2.2-9_sparc.deb
c1c8c8d53bb62fd16a0d4e063768bc64 2383048 devel standard libc6-dev_2.2-9_sparc.deb
4063c82f09a90234e7e3a3c792529f1e 976806 devel extra libc6-prof_2.2-9_sparc.deb
4591631f8b31d1af5c134b52edcb3ae2 2836298 devel extra libc6-dbg_2.2-9_sparc.deb
03d989834eac1d97e10f9bbbeb4cdb00 855264 devel extra libc6-pic_2.2-9_sparc.deb
3bf04d1a95fed0d3311015c996a22d07 902820 libs extra libc6-v9_2.2-9_sparc.deb
5d85b289e0e9d13fb60bdd0134b2e485 46230 admin optional nscd_2.2-9_sparc.deb
6ce3fff0f40abd1120599b3b3540965b 581802 admin standard locales_2.2-9_all.deb
8231d9b4d79c4ddc0c66733992028244 2403294 admin extra i18ndata_2.2-9_all.deb
5aac1abd3d8b46cbe0508a11cba0a7b8 2409846 doc optional glibc-doc_2.2-9_all.deb
516a1ddd6333cc3bf30b6b3de3380fb7 3547984 base required libc6_2.2-9_powerpc.deb
b8200167cb442e090efd84ff0fa9c882 2167526 devel standard libc6-dev_2.2-9_powerpc.deb
9f378e34bf7b5c7c8585519909680514 1058204 devel extra libc6-prof_2.2-9_powerpc.deb
daab9f22dac336ecb49d97d3835d44d7 2878670 devel extra libc6-dbg_2.2-9_powerpc.deb
ec432808c57aa01819cc58e3f07187f7 871834 devel extra libc6-pic_2.2-9_powerpc.deb
92f234de20216b103780853360e65d85 46924 admin optional nscd_2.2-9_powerpc.deb
3f9757b63c5b76fcdfa18a899f62f797 3069618 base required libc6_2.2-9_i386.deb
1fc3d93ef7affec8326facc04bdcb0dd 2180812 devel standard libc6-dev_2.2-9_i386.deb
f638be57ead16f4bc1c7490813edb922 888656 devel extra libc6-prof_2.2-9_i386.deb
9dae1c4f89cd04b8510270b4e435244f 2585434 devel extra libc6-dbg_2.2-9_i386.deb
657ba5fdbd70f08caa7ea0693d7962da 785466 devel extra libc6-pic_2.2-9_i386.deb
c2433e3b47033cb15bfd41cde76e1553 916836 libs extra libc6-i586_2.2-9_i386.deb
7e5efa104f8612f9760f8523f90bd6cf 915700 libs extra libc6-i686_2.2-9_i386.deb
6cfef9602d1f4edb8f98fb6c12f15929 46090 admin optional nscd_2.2-9_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Ben Collins <bcol...@debian.org>
iD8DBQE6VCQlfNc/ZB4E7C0RAtZsAJwNQu2NvxTx2bDMHOvYyeFS7lkZ4QCdGQ0q
CTP6i7YI8q6WnGhZ+Vi+VxI=
=1lEn
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-c...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org