A call to pthread_key_delete() after pthread_exit() have unmapped the stack of a thread
but before the ongoing pthread_join() have finished executing will result in an access
to unmapped memory.
Avoid this by invalidating the stack_base and tls pointers during pthread_exit().
This is based on the investigation and proprosed solution by
Srinavasa Nagaraju <srinavasa.x.nagaraju@sonyericsson.com>
Change-Id: I145fb5d57930e91b00f1609d7b2cd16a55d5b3a9
The creation of a thread succeeds even if the requested scheduling
parameters can not be set. This is not POSIX compliant, and even
worse, it leads to a wrong behavior. Let pthread_create() fail in this
case.
Change-Id: Ice66e2a720975c6bde9fe86c2cf8f649533a169c
Signed-off-by: Christian Bejram <christian.bejram@stericsson.com>
The allocation size in chk_malloc(), leak_malloc(), and leak_memalign()
functions may be rounded up to a small value, leading to buffer overflows.
The code only runs in debugging mode.
This patch complements commit 6f04a0f4 (CVE-2009-0607).
Change-Id: Id899bcd2bcd2ea2205e5753c433390710032dc83
Signed-off-by: Xi Wang <xi.wang@gmail.com>
The posix_memalign(3) function is very similar to the traditional
memalign(3) function, but with better error reporting and a guarantee
that the memory it allocates can be freed. In bionic, memalign(3)
allocated memory can be freed, so posix_memalign(3) is just a wrapper
around memalign(3).
Change-Id: I62ee908aa5ba6b887d8446a00d8298d080a6a299
After applying the kernel_id fix, the system refused to boot up and we
got following crash log:
I/DEBUG ( 113): pid: 618, tid: 618 >>> org.simalliance.openmobileapi.service:remote <<<
I/DEBUG ( 113): signal 16 (SIGSTKFLT), code -6 (?), fault addr --------
I/DEBUG ( 113): eax fffffe00 ebx b77de994 ecx 00000080 edx 00724002
I/DEBUG ( 113): esi 00000000 edi 00004000
I/DEBUG ( 113): xcs 00000073 xds 0000007b xes 0000007b xfs 00000000 xss 0000007b
I/DEBUG ( 113): eip b7761351 ebp bfdf3de8 esp bfdf3dc4 flags 00000202
I/DEBUG ( 113): #00 eip: 00015351 /system/lib/libc.so
I/DEBUG ( 113): #01 eip: 0000d13c /system/lib/libc.so (pthread_mutex_lock)
I/DEBUG ( 113): #02 eip: 00077b48 /system/lib/libc.so (__bionic_atfork_run_prepare)
I/DEBUG ( 113): #03 eip: 00052cdb /system/lib/libc.so (fork)
I/DEBUG ( 113): #04 eip: 0009ae91 /system/lib/libdvm.so (_Z18dvmOptimizeDexFileillPKcjjb)
I/DEBUG ( 113): #05 eip: 000819d6 /system/lib/libdvm.so (_Z14dvmJarFileOpenPKcS0_PP7JarFileb)
I/DEBUG ( 113): #06 eip: 000b175e /system/lib/libdvm.so (_ZL40Dalvik_dalvik_system_DexFile_openDexFilePKjP6JValue)
I/DEBUG ( 113): #07 eip: 0011fb94 /system/lib/libdvm.so
Root cause:
The atfork uses the mutex handler_mutex to protect the atfork_head. The
parent will call __bionic_atfork_run_prepare() to lock the handler_mutex,
and need both the parent and child to unlock their own copy of handler_mutex
after fork. At that time, the owner of hanlder_mutex is set as the parent.
If we apply the kernel_id fix, then the child's kernel_id will be set as
child's tid.
The handler_mutex is a recursive lock, and pthread_mutex_unlock(&hander_mutex)
will fail because the mutex owner is the parent, while the current tid
(__get_thread()->kernel_id) is child, not matched with the mutex owner.
At that time, the handler_mutex is left in lock state.If the child wants to
fork other process after than, then it will try to lock handler_mutex, and
then be deadlocked.
Fix:
Since the child has its own copy of vm space from the the parent, the
child space's handler_mutex should be reset to the initialized state.
Change-Id: I3907dd9a153418fb78862f2aa6d0302c375d9e27
Signed-off-by: Jack Ren <jack.ren@intel.com>
Signed-off-by: Chenyang Du <chenyang.du@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
After forking, the kernel_id field in the phtread_internal_t returned by pthread_self()
is incorrect --- it's the tid from the parent, not the new tid of the
child.
The root cause is that: currently the kernel_id is set by
_init_thread(), which is called in 2 cases:
(1) called by __libc_init_common(). That happens when the execv( ) is
called after fork( ). But when the zygote tries to fork the android
application, the child application doesn't call execv( ), instread, it
tries to call the Java main method directly.
(2) called by pthread_create(). That happens when a new thread is
created.
For the lead thread which is the thread created by fork(), it should
call execv() but it doesn't, as described in (1) above. So its kernel_id
will inherit the parent's kernel_id.
Fixed it in this patch.
Change-Id: I63513e82af40ec5fe51fbb69456b1843e4bc0fc7
Signed-off-by: Chenyang Du <chenyang.du@intel.com>
Signed-off-by: Jack Ren <jack.ren@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
When forking of a new process in bionic, it is critical that it
does not allocate any memory according to the comment in
java_lang_ProcessManager.c:
"Note: We cannot malloc() or free() after this point!
A no-longer-running thread may be holding on to the heap lock, and
an attempt to malloc() or free() would result in deadlock."
However, as fork is using standard lib calls when tracing it a bit,
they might allocate memory, and thus causing the deadlock.
This is a rewrite so that the function cpuacct_add, that fork calls,
will use system calls instead of standard lib calls.
Signed-off-by: christian bejram <christian.bejram@stericsson.com>
Change-Id: Iff22ea6b424ce9f9bf0ac8e9c76593f689e0cc86
Pass kernel space sigset_t size to __rt_sigprocmask to workaround
the miss-match of NSIG/sigset_t definition between kernel and bionic.
Note: Patch originally from Google...
Change-Id: I4840fdc56d0b90d7ce2334250f04a84caffcba2a
Signed-off-by: Chenyang Du <chenyang.du@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
Fix the compile warning to let the libc.debug.malloc=10 works well
Due to unsuitable value comparison, which cause compiler optimize the
code of comparing two digits.
Change-Id: I0bedd596c9ca2ba308fb008da20ecb328d8548f5
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
Author: liu chuansheng <chuansheng.liu@intel.com>
(1) in pthread_create:
If the one signal is received before esp is subtracted by 16 and
__thread_entry( ) is called, the stack will be cleared by kernel
when it tries to contruct the signal stack frame. That will cause
that __thread_entry will get a wrong tls pointer from the stack
which leads to the segment fault when trying to access tls content.
(2) in pthread_exit
After pthread_exit called system call unmap(), its stack will be
freed. If one signal is received at that time, there is no stack
available for it.
Fixed by subtracting the child's esp by 16 before the clone system
call and by blocking signal handling before pthread_exit is started.
Author: Jack Ren <jack.ren@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
* commit '6b6ebeca985fb3843b56b507ac4ac1be44080a9c':
enable support for large files (> 2G)
Enable functional DSO object destruction
x86: Enable -fstack-protector
Update X86 Bionic CRT files for unwind/exceptions
bionic, libthread_db x86 fixes
Updated gcc 4.4.3 IA toolchain doesn't require the .ctors list
Remove an extra register move.
Replace __atomic_XXX with GCC __sync_XXX intrinsics.
move some typedefs to procfs.h required by gdbserver build
use consistent guards for off_t and size_t defines for IA
Simplify variable typing for IA builds
sigsetmask.c was not processing the "mask" argument.
Add defines for CAIF support
Remove extra/unneeded copy of fenv.h
Use proper variable typing
Update ATOM string routines to latest
Fix undefined reference to dl_iterate_phdr for x86
Fix missing NL
ptrace.c Fix source file format to unix from dos
* commit '3a13102637c8be53edf28f96598ac11aaa3e14df':
enable support for large files (> 2G)
Enable functional DSO object destruction
x86: Enable -fstack-protector
Update X86 Bionic CRT files for unwind/exceptions
bionic, libthread_db x86 fixes
Updated gcc 4.4.3 IA toolchain doesn't require the .ctors list
Remove an extra register move.
Replace __atomic_XXX with GCC __sync_XXX intrinsics.
move some typedefs to procfs.h required by gdbserver build
use consistent guards for off_t and size_t defines for IA
Simplify variable typing for IA builds
sigsetmask.c was not processing the "mask" argument.
Add defines for CAIF support
Remove extra/unneeded copy of fenv.h
Use proper variable typing
Update ATOM string routines to latest
Fix undefined reference to dl_iterate_phdr for x86
Fix missing NL
ptrace.c Fix source file format to unix from dos
Orig-Change-Id: I3be997f5f1f6a894a3c200d4f325cf3bfd428c66
Author: James Rose <james.rose@intel.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
Orig-Change-Id: Ia840a19a45257128eccdcf25d105f500f2d90741
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Bruce Beare <bruce.j.beare@intel.com>
libcutils/mspace.c includes libc/bionic/dlmalloc.c, we need to
take care of the fact that any internal C library function cannot
be used from it.
Change-Id: I0bc81ae090b7ac2d464f26b97fc6b94a08cdad9c
Our dlmalloc implementation currently calls abort() when it detects
that the heap is corrupted, or that an invalid pointer is passed to
one of its functions.
The only way to detect this is because abort() will force-fully
crash the current program with a magic fault address of '0xdeadbaad'.
However, this is not really well documented, and a frequent topic
on the android-ndk forum (among others).
This change makes our dlmalloc code dump a simple message to the
log just before the abort() call (and hence before the stack trace)
to better help identify the problem.
Change-Id: Iebf7eb7fe26463ecadfaca8f247d237edb441e3c
These functions were already declared in <pwd.h>, but hadn't been implemented
yet.
git cherry-pick --no-commit 081504af74
Change-Id: I316acf4cffb9f2c6788e8e342aa620f9a00886d5
Backport I110b653a58f3
All the other property stuff is already here. Property setting was
only in libcutils previously to leverage a utility function / constant
or two.
Unfortunately in the process of fixing a race condition we would've
had to do break abstraction boundaries and put some libc-internal
details into libcutils so instead of that we'll just move this
into bionic.
Along with Iee1ca9b7, this now passes:
$ adb shell am instrument -w -e class android.os.SystemPropertiesTest \
com.android.frameworks.coretests.systemproperties/android.test.InstrumentationTestRunner
Bug: 3511230
Change-Id: I1b588db3344169621e1279ecc0b660cf4e1015d7
Backport I110b653a58f3
All the other property stuff is already here. Property setting was
only in libcutils previously to leverage a utility function / constant
or two.
Unfortunately in the process of fixing a race condition we would've
had to do break abstraction boundaries and put some libc-internal
details into libcutils so instead of that we'll just move this
into bionic.
Along with Iee1ca9b7, this now passes:
$ adb shell am instrument -w -e class android.os.SystemPropertiesTest \
com.android.frameworks.coretests.systemproperties/android.test.InstrumentationTestRunner
Bug: 3511230
Change-Id: I1b588db3344169621e1279ecc0b660cf4e1015d7
All the other property stuff is already here. Property setting was
only in libcutils previously to leverage a utility function / constant
or two.
Unfortunately in the process of fixing a race condition we would've
had to do break abstraction boundaries and put some libc-internal
details into libcutils so instead of that we'll just move this
into bionic.
Along with Iee1ca9b7, this now passes:
$ adb shell am instrument -w -e class android.os.SystemPropertiesTest \
com.android.frameworks.coretests.systemproperties/android.test.InstrumentationTestRunner
Bug: 3511230
Change-Id: I110b653a58f312fbe069dca59892a877ae9bc911
* commit '962dcb22218a1a6d4ebd05e4fc4a69875d037234':
libc: Fix PTHREAD_RWLOCK_INITIALIZER
Proxy getnameinfo through netd
Updated gcc 4.4.3 IA toolchain doesn't require the .ctors list
Convert cname lenght before use
Added a memmove() variant for Dalvik's System.arraycopy()
implementation. It guarantees 16-bit or 32-bit atomicity depending
on the alignment of the arguments.
Bug 3398352
Change-Id: Ie7bd246305ef0ff8290513663327c5b81680368d
