On Fri, May 22, 2020 at 04:02:31PM +0200, Mark Kettenis wrote: > > From: "Todd C. Miller" <todd.mil...@sudo.ws> > > Date: Fri, 22 May 2020 07:23:55 -0600 > > > > On Fri, 22 May 2020 14:57:11 +0200, Marc Espie wrote: > > > > > From a security standpoint, is there a "cheap" way to make setlocale > > > abort() > > > instead of trying to do a double free on when running in a race > > > condition ? > > > > We could use _THREAD_PRIVATE_MUTEX as we do in other parts of libc. > > That might eliminate two threads racing eachoither in setlocale(), but > it wouldn't stop threads that actually access the locale from > use-after-free type bugs. Unless you use the lock there as well. But > that could have a major performance impact.
Well, I'd be happy to have an abort() in case a race is detected. As we said, this is 100% unsupported behavior! but it's reasonably hard to detect. Maybe a simple way to poison setlocale is it's called from two different threads in a given process ?... I have zero idea. My point is NOT to make broken code work, but to make it obvious it's broken! because right now, it's a sporadic race... and even though this is complicated, I fear it's a security issue waiting to happen.