Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #11819 from dgquintas/timer_manager_uaf

Browse Source 
Fix use-after-free in timer manager
pull/11827/head
David G. Quintas 7 years ago committed by GitHub
parent bf828943cb fc94d1f4a0
commit d4619f439d
1 changed files with 7 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 7
      src/core/lib/iomgr/timer_manager.c

7
src/core/lib/iomgr/timer_manager.c
Unescape View File

@ -84,7 +84,14 @@ static void start_timer_thread_and_unlock(void) {
gpr_thd_options opt = gpr_thd_options_default(); gpr_thd_options opt = gpr_thd_options_default();
gpr_thd_options_set_joinable(&opt); gpr_thd_options_set_joinable(&opt);
completed_thread *ct = gpr_malloc(sizeof(*ct)); completed_thread *ct = gpr_malloc(sizeof(*ct));
// The call to gpr_thd_new() has to be under the same lock used by
// gc_completed_threads(), particularly due to ct->t, which is written here
// (internally by gpr_thd_new) and read there. Otherwise it's possible for ct
// to leak through g_completed_threads and be freed in gc_completed_threads()
// before "&ct->t" is written to, causing a use-after-free.
gpr_mu_lock(&g_mu);
gpr_thd_new(&ct->t, timer_thread, ct, &opt); gpr_thd_new(&ct->t, timer_thread, ct, &opt);
gpr_mu_unlock(&g_mu);
} }
void grpc_timer_manager_tick() { void grpc_timer_manager_tick() {

Write Preview
Loading…
Cancel
Save