[2/2] server: Avoid invalid memory access when thread is killed while in wake_up(). (Valgrind)

Sebastian Lackner sebastian at fds-team.de
Sat Jun 21 16:19:31 CDT 2014 

Found by using Valgrind + fuzzing testing.

Imagine the following scenario:

kill_thread() is called and generates (for example) a debug event.
-> This will call wake_up() on the debugger context queue.
-> This will lead to a send_thread_wakeup() call on the debugger thread.

When the debugger thread doesn't exist anymore the wakeup will fail with
EPIPE, and wineserver will kill the debugger process. Unfortunately it
might be possible that the debugger process itself also is waiting on
the debugger context queue. This entry will be removed in a nested
wake_up() call.

When we return back to the original wake_up(), then wake_thread()
returns a value of zero, which is interpreted as if the list has not
changed. -> Invalid memory access when we try to continue with the next
element in 'LIST_FOR_EACH( ptr, &obj->wait_queue )'.


Valgrind output:
----------------

(line numbers might differ due to some other unrelated modifications and
additional debug messages)

==17608== Invalid read of size 4
==17608==    at 0x807EE32: wake_up (thread.c:885)
==17608==    by 0x8052F8A: link_event (debugger.c:244)
==17608==    by 0x80535CF: generate_debug_event (debugger.c:404)
==17608==    by 0x8066A74: remove_process_thread (process.c:697)
==17608==    by 0x807F4D7: kill_thread (thread.c:1118)
==17608==    by 0x8077855: read_request (request.c:320)
==17608==    by 0x807D425: thread_poll_event (thread.c:261)
==17608==    by 0x8056E86: fd_poll_event (fd.c:446)
==17608==    by 0x805713C: main_loop_epoll (fd.c:541)
==17608==    by 0x8057536: main_loop (fd.c:886)
==17608==    by 0x805FF48: main (main.c:148)
==17608==  Address 0x8a5356c is 52 bytes inside a block of size 68 free'd
==17608==    at 0x49EF06C: free (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==17608==    by 0x807E046: end_wait (thread.c:585)
==17608==    by 0x807E6CE: wake_thread (thread.c:727)
==17608==    by 0x807EDC4: wake_up (thread.c:891)
==17608==    by 0x8052F8A: link_event (debugger.c:244)
==17608==    by 0x80535CF: generate_debug_event (debugger.c:404)
==17608==    by 0x8066A74: remove_process_thread (process.c:697)
==17608==    by 0x807F4D7: kill_thread (thread.c:1118)
==17608==    by 0x8077855: read_request (request.c:320)
==17608==    by 0x807D425: thread_poll_event (thread.c:261)
==17608==    by 0x8056E86: fd_poll_event (fd.c:446)
==17608==    by 0x805713C: main_loop_epoll (fd.c:541)
==17608==

---
 server/thread.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-server-Avoid-invalid-memory-access-when-thread-is-ki.patch
Type: text/x-patch
Size: 1931 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20140621/6499c852/attachment.bin>

More information about the wine-patches mailing list