Date: Wed, 4 Oct 2006 13:56:24 GMT From: KUROSAWA@FreeBSD.org, Takahiro <takahiro.kurosawa@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: threads/103975: Implicit loading/unloading of libpthread.so may crash user processes Message-ID: <200610041356.k94DuOmj097237@www.freebsd.org> Resent-Message-ID: <200610041400.k94E0pIc092064@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 103975
>Category: threads
>Synopsis: Implicit loading/unloading of libpthread.so may crash user processes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-threads
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 04 14:00:50 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: KUROSAWA, Takahiro
>Release: 6.2-PRERELEASE
>Organization:
>Environment:
FreeBSD cube.nodomain.noroot 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #13: Fri Sep 29 14:34:05 JST 2006 kurosawa@cube.nodomain.noroot:/usr/obj/usr/src/sys/CUBE i386
>Description:
A program (described as ProgA below) gets SIGSEGV if following conditions
are met:
- ProgA dlopen()s and dlclose()s a shared object (ShobjB)
- ProgA doesn't link libpthread.so
- ShbjB dynamically links libpthread.so
(libpthread.so will be loaded when ProgA dlopen()s ShobjB)
- ProgA calls functions like gethostbyname() that uses __thr_jtable
(in src/lib/libc/gen/_pthread_stubs.c) after unloading ShobjB.
The problem is that function pointers in __thr_jtable still point to functions
in libpthread.so after libpthread.so is unloaded from ProgA's memory space.
To fix the problem, a function that has __attribute__((destructor))
in libpthread should probably be implemented in order to recover
the initial state before unloading.
>How-To-Repeat:
The problem occurs on the web server built with following ports
when the httpd receives SIGHUP that is sent by newsyslog:
- www/apache20
- lang/php4
- databases/php4-pgsql
- databases/postgresql81-{client,server} with the option WITH_THREADSAFE=true
Or extract the following archive then run "make test."
The 3rd call of test() in pjt-replace.c causes SIGSEGV.
begin 644 pjt.tar.gz
M'XL(`#J[(T4``^V4WV_3,!#'^QK_%:?02>GH#[=-6JFC$Z,;?2DO6WD`(2'7
M<99L7A+%SA!"_._8257:CL%3-P'W>;GX_#W?Q9=+?J,;AX92.@X",+8_#OK6
M4CKP:[L&^C3HT_$P\`,*M#\(1N,&!`>OS%`JS0I3RFU99(I]88_IC"R*?G/.
M^CTV]B\AO]&]=^Q61(D4A\IA[F/D^X_WWQ\,]_KO#VG0`'JH@K;YS_M_?O'F
M_=QQIM"Y)K.WB[/YE>.\G$+3JS9:9'EV.;]87EF%^52Z*K.F4XA<,BX(85).
M?KFAA=(3,-O$Z?9V=K86D^V8;D:<IC>;M3;)H9-!\_6>AM39ZE"5=?G#*!6S
M0H1;T58&'9GKN!`LK$NPO@EQ.-/0"\5]+RVEA%,309Z[)4^*G?_M"^8'R/&G
M^0]&_M[\!X,!SO^3\"))N2Q#`:]"&?&T&Y^2GRZEPR3;=:5"AROK(N9"=,+A
M/DO":MH];L8.CD.A>(M\(X[21<DUQ)G2(M5P',,4KH6VZ]77E-T)SY499](Z
MW-8)<?(B277DN4=JLBN$0NBR2,U('^6?4K<--D<;8A/TG1`31.Y8DGJVDBJS
M?3#Y3@AQJL+<E8BR0D`HLURD52Y;3+WTW.K_9'XIYN#+Y>+\\^+LXP>KJ6-9
MI$6QUK9A<Q*7F1+54>MG+WX8LQ$1IWX%H+;DY^XY@B`(@B`(@B`(@B`(@B`(
2@B`(@B`(\N_Q`XCZB,H`*```
`
end
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610041356.k94DuOmj097237>