On Jan 15 19:20, Takashi Yano wrote:
> Hi,
>
> I found the following test case causes segmentation fault
> in 32 bit cygwin.
> [...]
> I looked into this problem and found that this is due to
> free'ing archetype which was already free'ed by _cfree().
>
> The mechanism of the problem is:
> 1) archetype is added to archetypes[] at line 675 in dtable.cc
> when trying to open pty.
> 2) Opening pty fails because too many ptys are opened.
> 3) archetype is deleted at line 444 in fhandler.cc.
> 4) archetype is copied from archetypes[] at line 659 in dtable.cc
> which is already free'ed in step 3) when trying to open pty again.
> 5) Opening pty fails again.
> 6) archetype which was already free'ed in step 3) is deleted at
> line 444 in fhandler.cc.
>
> I am not sure why this does not happen in 64 bit cygwin.
> I guess double free does not cause segfault by chance in
> 64 bit cygwin.
>
> I also found the following patch fixes the issue. Is this the
> right thing?
>
> diff --git a/winsup/cygwin/fhandler.cc b/winsup/cygwin/fhandler.cc
> index fc7c0422e..e51208117 100644
> --- a/winsup/cygwin/fhandler.cc
> +++ b/winsup/cygwin/fhandler.cc
> @@ -441,7 +441,7 @@ fhandler_base::open_with_arch (int flags, mode_t mode)
> || open (flags, mode & 07777)))
> {
> if (archetype)
> - delete archetype;
> + cygheap->fdtab.delete_archetype (archetype);
> }
> else if (archetype)
> {
Good catch! I think this is basically ok, but you have to check the
usecount, i. e.
if (archetype && archetype_usecount (-1) == 0)
cygheap->fdtab.delete_archetype (archetype);
Does that sound right?
Corinna
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
