Closed
Bug 1510738
Opened 6 years ago
Closed 6 years ago
Null check return value parameter in pthread_join redirection
Categories
(Core Graveyard :: Web Replay, defect)
Core Graveyard
Web Replay
Tracking
(firefox65 fixed)
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox65 | --- | fixed |
People
(Reporter: bhackett1024, Assigned: bhackett1024)
References
Details
Attachments
(1 file)
482 bytes,
patch
|
loganfsmyth
:
review+
|
Details | Diff | Splinter Review |
pthread_join has a return value parameter which is allowed to be NULL, but its redirection writes to this parameter without any checks. This is responsible for the crash below.
11/16 https://crash-stats.mozilla.com/report/index/f2dcff81-98b1-4f0b-b358-64bff0181116
Attachment #9028414 -
Flags: review?(lsmyth)
Comment 1•6 years ago
|
||
Comment on attachment 9028414 [details] [diff] [review]
patch
Review of attachment 9028414 [details] [diff] [review]:
-----------------------------------------------------------------
::: toolkit/recordreplay/ProcessRedirectDarwin.cpp
@@ -780,1 @@
> aArguments->Rval<ssize_t>() = 0;
The headers imply that these return values are `int` types. Is the `ssize_t` here right?
Attachment #9028414 -
Flags: review?(lsmyth) → review+
Assignee | ||
Comment 2•6 years ago
|
||
(In reply to Logan Smyth [:loganfsmyth] from comment #1)
> Comment on attachment 9028414 [details] [diff] [review]
> patch
>
> Review of attachment 9028414 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> ::: toolkit/recordreplay/ProcessRedirectDarwin.cpp
> @@ -780,1 @@
> > aArguments->Rval<ssize_t>() = 0;
>
> The headers imply that these return values are `int` types. Is the `ssize_t`
> here right?
The aArguments accessors require that when arguments or return values are interpreted as being of some type, that type must use the full eight bytes allocated for the argument/return value. This ensures that writes to these arguments/return values will completely fill them in. Doing so isn't actually necessary here, as the 'int' return type means that only four bytes of the return value will be used. Filling in all eight bytes won't hurt anything, however.
Comment 3•6 years ago
|
||
Cool, thanks for the info. Hope you don't mind the questions every once in a while.
Assignee | ||
Comment 4•6 years ago
|
||
(In reply to Logan Smyth [:loganfsmyth] from comment #3)
> Cool, thanks for the info. Hope you don't mind the questions every once in a
> while.
No worries, I'm happy to answer any questions you have.
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa55c733298c
Null check return value parameter in pthread_join redirection, r=lsmyth.
Comment 6•6 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Updated•5 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•