Date: Tue, 13 Dec 2016 22:51:56 +0200 From: Andriy Gapon <avg@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org>, src-committers@FreeBSD.org, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org Subject: Re: svn commit: r310025 - head/libexec/rtld-elf Message-ID: <099725fe-af29-3f9d-852d-53357bb8e8fe@FreeBSD.org> In-Reply-To: <201612131805.uBDI5EDm054866@repo.freebsd.org> References: <201612131805.uBDI5EDm054866@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13/12/2016 20:05, Bryan Drewery wrote: > Author: bdrewery > Date: Tue Dec 13 18:05:14 2016 > New Revision: 310025 > URL: https://svnweb.freebsd.org/changeset/base/310025 > > Log: > Take write lock for rtld_bind before modifying obj_list in dl_iterate_phdr(). What are typical callers of dl_iterate_phdr() ? In what scenarios this bug would typically be hit? Thank you! > This avoids a race with readers such as dladdr(3)/dlinfo(3)/dlsym(3) and > the atexit(3) handler. This race was introduced in r294373. > > Reviewed by: markj, kib, kan > MFC after: 2 weeks > Sponsored by: Dell EMC Isilon > > Modified: > head/libexec/rtld-elf/rtld.c > > Modified: head/libexec/rtld-elf/rtld.c > ============================================================================== > --- head/libexec/rtld-elf/rtld.c Tue Dec 13 16:53:58 2016 (r310024) > +++ head/libexec/rtld-elf/rtld.c Tue Dec 13 18:05:14 2016 (r310025) > @@ -3549,7 +3549,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callbac > error = 0; > > wlock_acquire(rtld_phdr_lock, &phdr_lockstate); > - rlock_acquire(rtld_bind_lock, &bind_lockstate); > + wlock_acquire(rtld_bind_lock, &bind_lockstate); > for (obj = globallist_curr(TAILQ_FIRST(&obj_list)); obj != NULL;) { > TAILQ_INSERT_AFTER(&obj_list, obj, &marker, next); > rtld_fill_dl_phdr_info(obj, &phdr_info); > @@ -3557,7 +3557,7 @@ dl_iterate_phdr(__dl_iterate_hdr_callbac > > error = callback(&phdr_info, sizeof phdr_info, param); > > - rlock_acquire(rtld_bind_lock, &bind_lockstate); > + wlock_acquire(rtld_bind_lock, &bind_lockstate); > obj = globallist_next(&marker); > TAILQ_REMOVE(&obj_list, &marker, next); > if (error != 0) { > -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?099725fe-af29-3f9d-852d-53357bb8e8fe>