Hi~ I found a bug(critical bug) in glibc-linuxthreads-2.3.2.

[박현우]

Hi~

I found very critical bug in pthread library.

In "glibc-2.3.2/linuxthreads/cancel.c", FRAME_LEFT macro check stack pointer of 
_pthread_cleanup_buffer. but, this is not need(I think...) and make critical 
bug in some machine(in my case, powerpc 405 core. but, someone said mips make 
same bug.).

As you can see in the attached test program and result of the execution(see 
below...), stack pointer grow down when you call a function. but, stack pointer 
grow up in brace at a function. so, pthread_exit calls the last callback 
function what you registered.

If you have any question, don`t hesitate to mail to me.
Thanks for your effort....

Hyun-woo Park.



/*********************** BUG situation ***********************/
address@hidden parkhw00]# ./tmp/test
in function &a = 0x7ffffa48
in function &a = 0x7ffffa28
in function &a = 0x7ffffa08
&a = 0x7ffffa68
&a = 0x7ffffa69
&a = 0x7ffffa6a
thread...
&_buffer=0x307ffad0 _buffer.__prev = 0x00000000
&_buffer=0x307ffae0 _buffer.__prev = 0x00000000
&_buffer=0x307ffaf0 _buffer.__prev = 0x00000000
cleanup3 called...
joined...
address@hidden parkhw00]#



/******************** after patch applied ********************/
address@hidden parkhw00]# ./tmp/test
current stack frame 0x7ffffa58
in function &a = 0x7ffffa38
in function &a = 0x7ffffa18
in function &a = 0x7ffff9f8
&a = 0x7ffffa58
&a = 0x7ffffa59
&a = 0x7ffffa5a
thread...
current stack frame 0x30825acc
&_buffer=0x30825ad0 _buffer.__prev = 0x00000000
&_buffer=0x30825ae0 _buffer.__prev = 0x30825ad0
&_buffer=0x30825af0 _buffer.__prev = 0x30825ae0
cleanup3 called...
cleanup2 called...
cleanup1 called...
joined...
address@hidden parkhw00]#

pthread_test.tgz
Description: application/compressed

glibc-linuxthreads-2.3.2_powerpc_patch_by_parkhw00.patch
Description: Binary data