diff options
Diffstat (limited to 'devel/glib20/files/patch-bug739424')
| -rw-r--r-- | devel/glib20/files/patch-bug739424 | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/devel/glib20/files/patch-bug739424 b/devel/glib20/files/patch-bug739424 new file mode 100644 index 000000000000..c5b8d82925b1 --- /dev/null +++ b/devel/glib20/files/patch-bug739424 @@ -0,0 +1,59 @@ +From 22656f16c29591207c667362e2a42fd348fe8494 Mon Sep 17 00:00:00 2001 +From: Martin Pieuchot <mpi@openbsd.org> +Date: Fri, 28 Apr 2017 15:06:52 +0200 +Subject: [PATCH] kqueue: fix use-after-free of ``kqueue_sub''. + +Since ``kqueue_sub'' are not refcounted it is common to see a thread +freeing one of them while another thread is manipulating them. This +leads to crashs reported in: + https://bugzilla.gnome.org/show_bug.cgi?id=739424 + +To prevent such crash, make sure the threads are holding ``hash_lock'' +when manipulating such items. +--- + gio/kqueue/kqueue-helper.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/gio/kqueue/kqueue-helper.c b/gio/kqueue/kqueue-helper.c +index d4e66cd4d..84b9ef164 100644 +--- gio/kqueue/kqueue-helper.c ++++ gio/kqueue/kqueue-helper.c +@@ -291,10 +291,10 @@ process_kqueue_notifications (GIOChannel *gioc, + + G_LOCK (hash_lock); + sub = (kqueue_sub *) g_hash_table_lookup (subs_hash_table, GINT_TO_POINTER (n.fd)); +- G_UNLOCK (hash_lock); + + if (sub == NULL) + { ++ G_UNLOCK (hash_lock); + KH_W ("Got a notification for a deleted or non-existing subscription %d", + n.fd); + return TRUE; +@@ -336,6 +336,7 @@ process_kqueue_notifications (GIOChannel *gioc, + g_file_monitor_source_handle_event (source, mask, NULL, NULL, NULL, g_get_monotonic_time ()); + } + ++ G_UNLOCK (hash_lock); + return TRUE; + } + +@@ -451,13 +452,14 @@ _kh_start_watching (kqueue_sub *sub) + + G_LOCK (hash_lock); + g_hash_table_insert (subs_hash_table, GINT_TO_POINTER (sub->fd), sub); +- G_UNLOCK (hash_lock); + + _kqueue_thread_push_fd (sub->fd); + + /* Bump the kqueue thread. It will pick up a new sub entry to monitor */ + if (!_ku_write (kqueue_socket_pair[0], "A", 1)) + KH_W ("Failed to bump the kqueue thread (add fd, error %d)", errno); ++ G_UNLOCK (hash_lock); ++ + return TRUE; + } + +-- +2.12.2 + |