crash bug fix for _dl_dprintf in ld.so

Chris Metcalf cmetcalf at tilera.com
Wed Dec 16 18:46:40 UTC 2009


I was doing some work in ld.so and was bit by this nasty little bug. 
Someone declared the "char*" variable that holds the temporary page
mmap'ed to hold the _dl_dprintf buffer as "static".  The result is that
if two threads are in ld.so at once, they'll try to share this buffer,
sort of, until one of them munmap's it and the other one crashes.  It
should just be a regular "auto" variable.  Diff is against a recent git
download.

--- /u/cmetcalf/uClibc/ldso/ldso/dl-elf.c~      2009-12-08 15:49:20.695835000 -0500
+++ /u/cmetcalf/uClibc/ldso/ldso/dl-elf.c       2009-12-16 13:44:16.032182000 -0500
@@ -887,21 +887,21 @@
 /* Minimal printf which handles only %s, %d, and %x */
 void _dl_dprintf(int fd, const char *fmt, ...)
 {
 #if __WORDSIZE > 32
        long int num;
 #else
        int num;
 #endif
        va_list args;
        char *start, *ptr, *string;
-       static char *buf;
+       char *buf;

        if (!fmt)
                return;

        buf = _dl_mmap((void *) 0, _dl_pagesize, PROT_READ | PROT_WRITE,
                        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
        if (_dl_mmap_check_error(buf)) {
                _dl_write(fd, "mmap of a spare page failed!\n", 29);
                _dl_exit(20);
        }


-- 
Chris Metcalf, Tilera Corp.
http://www.tilera.com



More information about the uClibc mailing list