From c2a93792fc9799d0c2f07f260f52e533e3bd178e Mon Sep 17 00:00:00 2001 From: Ryan Prichard Date: Mon, 20 Apr 2020 17:59:18 -0700 Subject: [PATCH 1/2] android_get_exported_namespace: acquire g_dl_mutex android_get_exported_namespace searches g_exported_namespaces, which isn't modified after process initialization, but it does the search using a new std::string object, and the linker's malloc/free functions aren't thread-safe. (They're protected by the same lock (g_dl_mutex) as the rest of the linker's state.) Bug: http://b/150372650 Test: bionic-unit-tests Change-Id: Iafd12e5ab36ae61f0642aad59939f528d31bda16 --- linker/dlfcn.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/linker/dlfcn.cpp b/linker/dlfcn.cpp index 228e30a1a..255363f96 100644 --- a/linker/dlfcn.cpp +++ b/linker/dlfcn.cpp @@ -279,6 +279,7 @@ bool __loader_android_link_namespaces_all_libs(android_namespace_t* namespace_fr } android_namespace_t* __loader_android_get_exported_namespace(const char* name) { + ScopedPthreadMutexLocker locker(&g_dl_mutex); return get_exported_namespace(name); } From 172611f5cee5ce1351a83ec9f83e13235d04b008 Mon Sep 17 00:00:00 2001 From: Ryan Prichard Date: Mon, 20 Apr 2020 18:01:00 -0700 Subject: [PATCH 2/2] __loader_cfi_fail: acquire g_dl_mutex CfiFail calls find_containing_library, which searches the linker's internal soinfo list, which could be modified by another thread. Bug: http://b/150372650 Test: bionic-unit-tests Change-Id: I59024a0a47913caa75702f15ec058b0a360727b5 --- linker/dlfcn.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/linker/dlfcn.cpp b/linker/dlfcn.cpp index 255363f96..ec6850a40 100644 --- a/linker/dlfcn.cpp +++ b/linker/dlfcn.cpp @@ -284,6 +284,7 @@ android_namespace_t* __loader_android_get_exported_namespace(const char* name) { } void __loader_cfi_fail(uint64_t CallSiteTypeId, void* Ptr, void *DiagData, void *CallerPc) { + ScopedPthreadMutexLocker locker(&g_dl_mutex); CFIShadowWriter::CfiFail(CallSiteTypeId, Ptr, DiagData, CallerPc); }