From patchwork Thu Aug 8 18:51:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 1970693 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=E8nx5PCA; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Wfx4q65BHz1yf8 for ; Fri, 9 Aug 2024 04:52:59 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0FA7A3858410 for ; Thu, 8 Aug 2024 18:52:57 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by sourceware.org (Postfix) with ESMTPS id EBE2A3858C35 for ; Thu, 8 Aug 2024 18:52:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EBE2A3858C35 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org EBE2A3858C35 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::42d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723143161; cv=none; b=Nv7drpNO4DGqr1H0RwUg+LRsZV19huhrMAHqYo7jvctGxEf0XIzL0cIQ2Bb6LIKZ2iacLroqIAi1gYQExK9Jrlu5kWrQMsVXySDmHAGNmH/DP31gbFJcniZJAjJBWT5ODdO2xrCFAe1eAm0MI1+dA0sAuk/7RijuB/kahfMd48o= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1723143161; c=relaxed/simple; bh=2EwtxJgZP2Jc+efMmoOUSjZPFGwgYRR0s1xIv2gLmmc=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=Bvcc/c31N5GU1mxyOqQ+hU5rJaH9RauRWRynrRjye7ddkG/1160/2FiWp8rMgV674oEAwR0OCDz6ZF+E6gFbBpxK96zAuEbFV4v14EN7cmSS493UXH0uHcVBV0QKHB0nY3+uqKP3W+nMwDsgVo+WPETo+buI2UgyyAnLCP1JCec= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-70d1a74a43bso1118532b3a.1 for ; Thu, 08 Aug 2024 11:52:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1723143157; x=1723747957; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=nsoCE7nO9gvXbw0MBQrOlopQ3D/8Dl1GrvX8vYqUcN0=; b=E8nx5PCACAFVBxkAQzo6Y6wwMLrms68fJbJ5lB0V5enyiDMj3v640QRarrh31X4Ued nbo9DqVPoj6JjfDGOTmH8/ZzcIvGLgV0IDM0DIfMViAuBeBELdy9mrjtDvCXJU458oSC 31rYHd1TTE984mihA3gZOU8FgKcPG38dotTxbBJreEseYMWvxBzfw1jRdux3Ost02Ovr +PB3tNTN0m7Bs5fJ4+gORJ0NuMCLp7kkzpxEFTlK9fC2W8hQ17Xf9h4BRhnFdziQcKEE YDBRhh+O5NpdHMYRixWlBkHHC0YNF//zqKFa2D69r+eCxXYw7ylUQ2C2XwnimxhzMA1B E8hA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723143157; x=1723747957; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nsoCE7nO9gvXbw0MBQrOlopQ3D/8Dl1GrvX8vYqUcN0=; b=LWi+FRNymkBrCJdLw66/x0O5Ow2YSlZhPNKBaECJ7ReKkAj2f42IR1gzVR8fHQ/3P/ Q6YUo48RqtLs0r4j5FKr1rXeii7IG0NEbAaU2E2CZb9MClOIrQ+I6/aQd7LDqBtY8q2M to+55RAEYgmEIYv0vhFLTbTys49q+3XZJZw9PSyazw/sYSJ5cFbDxu3nlTB3VBdVw3Gj hn7XaIgPSrsdT6h6cRzsZjcEhOsCJE4v7LsedloIjBM3tmV2VwlW5Fd3HnH0hjVz6iHh s7kX1IvClkM0tRlRkgw8Qs6EZhiSrp0JRIJi5h43a2deN41KjUXfJ5PMVeDokCg5fuuO Sm5g== X-Gm-Message-State: AOJu0YwDm/E44xZ6njczg7wY4yxGraDc1IvoGncw0JCejhCPPNotPIvF y4CDrvmG33mUMTpQ09ZVKwYnE865w7hL8PRG7bfI4KHi4UIIRQBaVDTs71uCUZQD1zf6IpGGhSx M X-Google-Smtp-Source: AGHT+IG0hKA15AoMkc4wZCx7HakPh7DicrrKCJ72Cc5ugMXH/YiuXd3T1r9wMrknwBCCMb03Y8QwGw== X-Received: by 2002:a05:6a21:2799:b0:1c6:fc7d:5546 with SMTP id adf61e73a8af0-1c6fcfef176mr2392862637.37.1723143157191; Thu, 08 Aug 2024 11:52:37 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c1:a5f6:c70a:b1a3:ba3c:3045]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-710cb2e89dasm1424440b3a.181.2024.08.08.11.52.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 08 Aug 2024 11:52:36 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: =?utf-8?b?TMOpbsOhcmQgU3pvbG5va2k=?= , Andreas Schwab , Florian Weimer Subject: [PATCH v3] stdlib: Fix qsort memory leak if callback throws (BZ 32058) Date: Thu, 8 Aug 2024 15:51:42 -0300 Message-ID: <20240808185232.1351850-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-12.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org If the input buffer exceeds the stack auxiliary buffer, qsort will malloc a temporary one to call mergesort. Since C++ standard does allow the callback comparison function to throw [1], the glibc implementation can potentially leak memory. The fixes uses a pthread_cleanup_combined_push and pthread_cleanup_combined_pop, so it can work with and without exception enables. The qsort code path that calls malloc now requires some extra setup and a call to __pthread_cleanup_push anmd __pthread_cleanup_pop (which should be ok since they just setup some buffer state). Checked on x86_64-linux-gnu. [1] https://timsong-cpp.github.io/cppwp/n4950/alg.c.library#4 --- stdlib/Makefile | 32 ++++++++++++++++- stdlib/qsort.c | 81 ++++++++++++++++++++++++++---------------- stdlib/tst-qsort4.c | 4 +++ stdlib/tst-qsort7.c | 81 ++++++++++++++++++++++++++++++++++++++++++ stdlib/tst-qsortx7.c | 1 + sysdeps/htl/pthreadP.h | 8 +++++ 6 files changed, 175 insertions(+), 32 deletions(-) create mode 100644 stdlib/tst-qsort7.c create mode 100644 stdlib/tst-qsortx7.c diff --git a/stdlib/Makefile b/stdlib/Makefile index 347491de53..b68401bd54 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -290,6 +290,8 @@ tests := \ tst-qsort2 \ tst-qsort3 \ tst-qsort6 \ + tst-qsort7 \ + tst-qsortx7 \ tst-quick_exit \ tst-rand48 \ tst-rand48-2 \ @@ -539,7 +541,19 @@ tests-special += $(objpfx)isomac.out ifeq ($(run-built-tests),yes) tests-special += $(objpfx)tst-fmtmsg.out -endif +ifeq ($(build-shared),yes) +ifneq ($(PERL),no) +generated += \ + tst-qsort7.mtrace \ + tst-qsortx7.mtrace \ + # generated +tests-special += \ + $(objpfx)tst-qsort7-mem.out \ + $(objpfx)tst-qsortx7-mem.out \ + # tests-special +endif # $(build-shared) == yes +endif # $(PERL) == yes +endif # $(run-built-tests) == yes include ../Rules @@ -627,3 +641,19 @@ $(objpfx)tst-setcontext3.out: tst-setcontext3.sh $(objpfx)tst-setcontext3 $(objpfx)tst-qsort5: $(libm) $(objpfx)tst-concurrent-exit: $(shared-thread-library) $(objpfx)tst-concurrent-quick_exit: $(shared-thread-library) + +CFLAGS-tst-qsort7.c += -fno-exceptions -fno-asynchronous-unwind-tables +LDLIBS-tst-qsort7 = $(shared-thread-library) +tst-qsort7-ENV = MALLOC_TRACE=$(objpfx)tst-qsort7.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +$(objpfx)tst-qsort7-mem.out: $(objpfx)tst-qsort7.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-qsort7.mtrace > $@; \ + $(evaluate-test) + +CFLAGS-tst-qsortx7.c += -fexceptions +LDLIBS-tst-qsortx7 = $(shared-thread-library) +tst-qsortx7-ENV = MALLOC_TRACE=$(objpfx)tst-qsortx7.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +$(objpfx)tst-qsortx7-mem.out: $(objpfx)tst-qsortx7.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-qsortx7.mtrace > $@; \ + $(evaluate-test) diff --git a/stdlib/qsort.c b/stdlib/qsort.c index be47aebbe0..163614c4b8 100644 --- a/stdlib/qsort.c +++ b/stdlib/qsort.c @@ -25,6 +25,7 @@ #include #include #include +#include "pthreadP.h" /* Swap SIZE bytes between addresses A and B. These helpers are provided along the generic one as an optimization. */ @@ -338,36 +339,10 @@ indirect_msort_with_tmp (const struct msort_param *p, void *b, size_t n, } } -void -__qsort_r (void *const pbase, size_t total_elems, size_t size, - __compar_d_fn_t cmp, void *arg) +static void +qsort_r_mergesort (void *const pbase, size_t total_elems, size_t size, + __compar_d_fn_t cmp, void *arg, void *buf) { - if (total_elems <= 1) - return; - - /* Align to the maximum size used by the swap optimization. */ - _Alignas (uint64_t) char tmp[QSORT_STACK_SIZE]; - size_t total_size = total_elems * size; - char *buf; - - if (size > INDIRECT_SORT_SIZE_THRES) - total_size = 2 * total_elems * sizeof (void *) + size; - - if (total_size <= sizeof tmp) - buf = tmp; - else - { - int save = errno; - buf = malloc (total_size); - __set_errno (save); - if (buf == NULL) - { - /* Fallback to heapsort in case of memory failure. */ - heapsort_r (pbase, total_elems - 1, size, cmp, arg); - return; - } - } - if (size > INDIRECT_SORT_SIZE_THRES) { const struct msort_param msort_param = @@ -392,9 +367,53 @@ __qsort_r (void *const pbase, size_t total_elems, size_t size, }; msort_with_tmp (&msort_param, pbase, total_elems); } +} + +static bool +qsort_r_malloc (void *const pbase, size_t total_elems, size_t size, + __compar_d_fn_t cmp, void *arg, size_t total_size) +{ + int save = errno; + char *buf = malloc (total_size); + __set_errno (save); + if (buf == NULL) + return false; - if (buf != tmp) - free (buf); + /* Deallocate the auxiliary buffer if the callback function throws + or if the thread is cancelled. */ + pthread_cleanup_combined_push (free, buf); + qsort_r_mergesort (pbase, total_elems, size, cmp, arg, buf); + pthread_cleanup_combined_pop (0); + + free (buf); + + return true; +} + +void +__qsort_r (void *const pbase, size_t total_elems, size_t size, + __compar_d_fn_t cmp, void *arg) +{ + if (total_elems <= 1) + return; + + /* Align to the maximum size used by the swap optimization. */ + size_t total_size = total_elems * size; + + if (size > INDIRECT_SORT_SIZE_THRES) + total_size = 2 * total_elems * sizeof (void *) + size; + + if (total_size <= QSORT_STACK_SIZE) + { + _Alignas (uint64_t) char tmp[QSORT_STACK_SIZE]; + qsort_r_mergesort (pbase, total_elems, size, cmp, arg, tmp); + } + else + { + if (!qsort_r_malloc (pbase, total_elems, size, cmp, arg, total_size)) + /* Fallback to heapsort in case of memory failure. */ + heapsort_r (pbase, total_elems - 1, size, cmp, arg); + } } libc_hidden_def (__qsort_r) weak_alias (__qsort_r, qsort_r) diff --git a/stdlib/tst-qsort4.c b/stdlib/tst-qsort4.c index 247917b454..b723fa4aab 100644 --- a/stdlib/tst-qsort4.c +++ b/stdlib/tst-qsort4.c @@ -16,6 +16,10 @@ License along with the GNU C Library; if not, see . */ +#undef pthread_cleanup_combined_push +#define pthread_cleanup_combined_push(routine, arg) +#undef pthread_cleanup_combined_pop +#define pthread_cleanup_combined_pop(execute) #include "qsort.c" #include diff --git a/stdlib/tst-qsort7.c b/stdlib/tst-qsort7.c new file mode 100644 index 0000000000..ba0c3d7387 --- /dev/null +++ b/stdlib/tst-qsort7.c @@ -0,0 +1,81 @@ +/* Test if qsort cleanup memory allocation if the comparison function + throws (BZ 32058) + Copyright (C) 2024 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include + +static pthread_barrier_t b; + +static void +cl (void *arg) +{ +} + +static int +compar_func (const void *a1, const void *a2) +{ + xpthread_barrier_wait (&b); + + pthread_cleanup_push (cl, NULL); + + pause (); + + pthread_cleanup_pop (0); + + support_record_failure (); + + return 0; +} + +static void * +tf (void *tf) +{ + /* An array larger than QSORT_STACK_SIZE to force memory allocation. */ + int input[1024] = { 0 }; + qsort (input, array_length (input), sizeof input[0], compar_func); + + return NULL; +} + +static int +do_test (void) +{ + mtrace (); + + xpthread_barrier_init (&b, NULL, 2); + + pthread_t thr = xpthread_create (NULL, tf, NULL); + + xpthread_barrier_wait (&b); + + xpthread_cancel (thr); + + { + void *r = xpthread_join (thr); + TEST_VERIFY (r == PTHREAD_CANCELED); + } + + return 0; +} + +#include diff --git a/stdlib/tst-qsortx7.c b/stdlib/tst-qsortx7.c new file mode 100644 index 0000000000..ab6152320c --- /dev/null +++ b/stdlib/tst-qsortx7.c @@ -0,0 +1 @@ +#include "tst-qsort7.c" diff --git a/sysdeps/htl/pthreadP.h b/sysdeps/htl/pthreadP.h index cf8a2efe86..ef1fa8ca95 100644 --- a/sysdeps/htl/pthreadP.h +++ b/sysdeps/htl/pthreadP.h @@ -23,6 +23,7 @@ #include #include +#include /* Attribute to indicate thread creation was issued from C11 thrd_create. */ #define ATTR_C11_THREAD ((void*)(uintptr_t)-1) @@ -113,4 +114,11 @@ hidden_proto (__pthread_get_cleanup_stack) _Static_assert (sizeof (type) == size, \ "sizeof (" #type ") != " #size) +#ifndef pthread_cleanup_combined_push +# define pthread_cleanup_combined_push __pthread_cleanup_push +#endif +#ifndef pthread_cleanup_combined_pop +# define pthread_cleanup_combined_pop __pthread_cleanup_pop +#endif + #endif /* pthreadP.h */