From e0dc2d243e4b77c0b3a8050e4d648733aa162d32 Mon Sep 17 00:00:00 2001 From: chunseok lee Date: Thu, 14 Dec 2017 09:29:29 +0900 Subject: Fix uaf in DestroyThread function upstream cherrypick : 14f609a711f61c0724 From: Konstantin Baladurin Date: Fri, 8 Dec 2017 15:28:40 +0300 Subject: Fix uaf in DestroyThread function. Mark thread's buffers as no longer owned before calling Thread::OnThreadTerminate because thread can delete itself in this method. Change-Id: Ie897af344db4021c015deb0b2e72ac642d2e0c6e Signed-off-by: chunseok lee --- .../0001-Fix-uaf-in-DestroyThread-function.patch | 52 ++++++++++++++++++++++ packaging/coreclr.spec | 5 ++- 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 packaging/0001-Fix-uaf-in-DestroyThread-function.patch diff --git a/packaging/0001-Fix-uaf-in-DestroyThread-function.patch b/packaging/0001-Fix-uaf-in-DestroyThread-function.patch new file mode 100644 index 0000000000..d41473eb71 --- /dev/null +++ b/packaging/0001-Fix-uaf-in-DestroyThread-function.patch @@ -0,0 +1,52 @@ +From 26319006acafde23118c2fd566525a8c2864e748 Mon Sep 17 00:00:00 2001 +From: chunseok lee +Date: Wed, 13 Dec 2017 12:24:34 +0900 +Subject: [PATCH] Fix uaf in DestroyThread function + +upstream cherrypick : 14f609a711f61c0724 +From: Konstantin Baladurin +Date: Fri, 8 Dec 2017 15:28:40 +0300 +Subject: Fix uaf in DestroyThread function. + +Mark thread's buffers as no longer owned before calling +Thread::OnThreadTerminate because thread can delete itself in +this method. + +Signed-off-by: chunseok lee +--- + src/vm/threads.cpp | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/vm/threads.cpp b/src/vm/threads.cpp +index df8916c..59633fe 100644 +--- a/src/vm/threads.cpp ++++ b/src/vm/threads.cpp +@@ -987,12 +987,6 @@ void DestroyThread(Thread *th) + #endif // _TARGET_X86_ + #endif // WIN64EXCEPTIONS + +- if (g_fEEShutDown == 0) +- { +- th->SetThreadState(Thread::TS_ReportDead); +- th->OnThreadTerminate(FALSE); +- } +- + #ifdef FEATURE_PERFTRACING + // Before the thread dies, mark its buffers as no longer owned + // so that they can be cleaned up after the thread dies. +@@ -1002,6 +996,12 @@ void DestroyThread(Thread *th) + pBufferList->SetOwnedByThread(false); + } + #endif // FEATURE_PERFTRACING ++ ++ if (g_fEEShutDown == 0) ++ { ++ th->SetThreadState(Thread::TS_ReportDead); ++ th->OnThreadTerminate(FALSE); ++ } + } + + //------------------------------------------------------------------------- +-- +2.7.4 + diff --git a/packaging/coreclr.spec b/packaging/coreclr.spec index acebdf86e8..1af5bba33d 100644 --- a/packaging/coreclr.spec +++ b/packaging/coreclr.spec @@ -23,7 +23,7 @@ Source1000: downloaded_files.tar.gz Source1001: %{name}.manifest Source1002: libicu.tar.gz Source1003: dep_libs.tar.gz -# Gbp-Ignore-Patches: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 +# Gbp-Ignore-Patches: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Patch0: 0001-Add-project.assets.json-files.patch Patch1: 0001-ARM-Linux-Support-unaligned-struct-read-write-11290.patch Patch2: 0002-x86-Linux-Thread-safe-UMThunkMarshInfo-RunTimeInit-1.patch @@ -62,7 +62,7 @@ Patch34: 0001-Fix-assert-in-HelperMethodFrame-UpdateRegDisplay-142.patch Patch35: 0001-Fix-clrstack-command-of-lldb-sosplugin-on-x86-13973.patch Patch36: 0001-Fix-typo-in-SetDebuggerREGDISPLAYFromREGDISPLAY-1422.patch Patch37: 0001-Use-addresses-without-sign-extension-in-lldb-plugin-.patch - +Patch38: 0001-Fix-uaf-in-DestroyThread-function.patch ExcludeArch: aarch64 @@ -199,6 +199,7 @@ cp %{SOURCE1001} . %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 %if 0%{skipmscorlib} %else -- cgit v1.2.3