Bug#588004: libc6: abort segfaults under race condition with bsd_signal

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#588004: libc6: abort segfaults under race condition with bsd_signal
From: "brian m. carlson" <sandals@crustytoothpaste.net>
Date: Sat, 3 Jul 2010 20:34:01 +0000
Message-id: <[🔎] 20100703203400.GA22070@crustytoothpaste.ath.cx>
Reply-to: "brian m. carlson" <sandals@crustytoothpaste.net>, 588004@bugs.debian.org

Package: libc6
Version: 2.11.2-2
Severity: normal

In the attached source code, there is a race condition between
bsd_signal and abort.  In most instances when the program is run, abort
successfully terminates the program with a SIGABRT.  However, on a very
rare occasion, the program instead terminates with a SIGSEGV.  This
should not happen, as it contradicts both POSIX 1003.1-2008 and also the
abort(3) man page.

Since this condition is very hard to reproduce, I ran it as follows:

  for i in `seq 1 100000`; do (ulimit -c unlimited; ./testcase; if [ $? -eq 139 ]; then cp core core.segv; fi); done

"gdb ./testcase core.segv" then gives the following:

  (gdb) bt full
  #0  *__GI_abort () at abort.c:128
          act = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {18446744073709551615 <repeats 16 times>}}, 
            sa_flags = 0, sa_restorer = 0}
          sigs = {__val = {32, 0 <repeats 15 times>}}
  #1  0x000000000040067a in main () at testcase.c:23
          thrd = 140157473478416

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.34-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libc-bin                      2.11.2-2   Embedded GNU C Library: Binaries
ii  libgcc1                       1:4.5.0-7  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  cdebconf [debconf-2.0]        0.149      Debian Configuration Management Sy
ii  debconf [debconf-2.0]         1.5.32     Debian configuration management sy
pn  glibc-doc                     <none>     (no description available)
ii  locales                       2.11.2-2   Embedded GNU C Library: National L

-- debconf information excluded

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

/* Compile with: gcc -g -O3 -pthread -o testcase testcase.c */

#include <signal.h>
#include <stddef.h>

#ifdef NIH
extern void abort(void);
#else
#include <stdlib.h>
#endif

void *ignore_sigabrt(void *dummy)
{
	for (;;)
		bsd_signal(SIGABRT, SIG_IGN);
}

int main(void)
{
	pthread_t thrd;

	pthread_create(&thrd, NULL, ignore_sigabrt, NULL);
	pthread_detach(thrd);

	abort();

	return 0;
}

Attachment: signature.asc
Description: Digital signature

Reply to:

Next by Date: Bug#588144: libc6: As shipped /etc/bindresvport.blacklist lines are ignored due to tabs
Next by thread: Bug#588144: libc6: As shipped /etc/bindresvport.blacklist lines are ignored due to tabs
Index(es):
- Date
- Thread