Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Probable thread-safety issue in pcre2 10.43+ #402

Closed
lbonn opened this issue Mar 25, 2024 · 9 comments
Closed

Probable thread-safety issue in pcre2 10.43+ #402

lbonn opened this issue Mar 25, 2024 · 9 comments

Comments

@lbonn
Copy link

lbonn commented Mar 25, 2024

Our application is matching elements against patterns in several concurrent threads and we had some crash reports from users who updated to recent pcre2: davatorium/rofi#1966.

After a collective effort, we tracked down a probable culprit as a regression introduced in d84f255, in particular the locking logic in the jit allocator.

From an educated guess, the fix could be to protect (again) some fields access in next_header, as these are also read in the free() function:

diff --git a/src/sljit/allocator_src/sljitExecAllocatorCore.c b/src/sljit/allocator_src/sljitExecAllocatorCore.c
index 85f3a9d..2fc91c2 100644
--- a/src/sljit/allocator_src/sljitExecAllocatorCore.c
+++ b/src/sljit/allocator_src/sljitExecAllocatorCore.c
@@ -237,12 +237,12 @@ SLJIT_API_FUNC_ATTRIBUTE void* sljit_malloc_exec(sljit_uw size)
                header->size = chunk_size;
                next_header = AS_BLOCK_HEADER(header, chunk_size);
        }
-       SLJIT_ALLOCATOR_UNLOCK();
        next_header->size = 1;
        next_header->prev_size = chunk_size;
 #ifdef SLJIT_HAS_EXECUTABLE_OFFSET
        next_header->executable_offset = executable_offset;
 #endif /* SLJIT_HAS_EXECUTABLE_OFFSET */
+       SLJIT_ALLOCATOR_UNLOCK();
        return MEM_START(header);
 }

It stopped crashing after this change for at least one of the testers.

CC: @christian-heusel, @DaveDavenport, @ravomavain, @dennisschagt
@zherczeg
Copy link
Collaborator

Just the other day I was also wondering why the unlock mas moved before the end of the function. It just felt wrong. @carenas do you remember?

zherczeg/sljit@7de0fee#diff-249fa9ceb0eb2b074dbaa38dfca020158e15e36e8a7b5d0aca1443226bf4b63aR243

@carenas
Copy link
Contributor

carenas commented Mar 25, 2024

It just felt wrong. @carenas do you remember?

It was likely unintentional and therefore a bug

@easyteacher
Copy link

https://bugs.kde.org/show_bug.cgi?id=484514 has a similar backtrace

@lbonn
Copy link
Author

lbonn commented Apr 2, 2024

@zherczeg @carenas should I open a PR to sljit and pcre2 with this small change or do you prefer to handle it yourself?

A fair number of users seem affected and the bug might have security implications as it causes memory corruption.

@zherczeg
Copy link
Collaborator

zherczeg commented Apr 2, 2024

Up to you. Let me know your decision.

lbonn added a commit to lbonn/sljit that referenced this issue Apr 2, 2024
@lbonn
Fix locking region in sjlit_malloc_exec
e5e5256 
The locked section needs to extend until we are done modifying internal
block offsets and sizes, otherwise we risk running into data corruption
in a multi-threaded context.

This bug was introduced in 7de0fee

See: PCRE2Project/pcre2#402
lbonn added a commit to lbonn/pcre2 that referenced this issue Apr 2, 2024
@lbonn
Backport locking fix in sljit allocator
7ab847b 
An erroneous locking issue was introduced in the sljit update
of commit d84f255.

It caused crashes when matching regular expressions in a multi-threaded
context.

Fixes PCRE2Project#402
This was referenced Apr 2, 2024
Merged
Closed
@lbonn
Copy link
Author

lbonn commented Apr 2, 2024

@zherczeg thanks for the very quick merge :)

@lbonn
Copy link
Author

lbonn commented Apr 3, 2024

Fix is now in the master branch e466d41, thank you!

@lbonn lbonn closed this as completed Apr 3, 2024
@dangelog
Copy link

dangelog commented Apr 4, 2024

Hi! Do you think this warrants a release, given the bug causes crashes?

@PhilipHazel
Copy link
Collaborator

Probably fairly soon, but I am currently chasing down an obscure bug that oss-fuzz found and it would be nice to have that cleared up as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Backport locking fix in sljit allocator lbonn/pcre2
6 participants
@carenas @zherczeg @lbonn @dangelog @easyteacher @PhilipHazel