...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <glib.h>
#include <glib-object.h>
typedef struct node_s {
void *data;
Node *next;
} Node;
typedef struct queue_s {
Node *head;
Node *tail;
} Queue;
Queue* queue_new(void) {
Queue *q = g_slice_new(sizeof(Queue));
q->head = q->tail = g_slice_new(sizeof(Node));
return q;
}
void queue_enqueue(Queue *q, gpointer data) {
Node *node;
Node *tail;
Node *next;
node = g_slice_new(Node);
node->data = data;
node->next = NULL;
while (TRUE) {
tail = q->tail;
next = tail->next;
if (tail != q->tail) {
continue;
}
if (next != NULL) {
CAS(&q->tail, tail, next);
continue;
}
if (CAS(&tail->next, nullNULL, node)) {
break;
}
}
CAS(&q->tail, tail, node);
}
gpointer queue_dequeue(Queue *q) {
Node *node;
Node *head;
Node *tail;
Node *next;
gpointer data;
while (TRUE) {
head = q->head;
tail = q->tail;
next = head->next;
if (head != q->head) {
continue;
}
if (next == NULL) {
return NULL; /* Empty */
}
if (head == tail) {
CAS(&q->tail, tail, next);
continue;
}
data = next->data;
if (CAS(&q->head, head, next)) {
break;
}
}
g_slice_free(Node, head);
return data;
}
|
...
The following sequence of operations occurs:
Thread | Queue Before | Operation | Queue After |
|---|---|---|---|
|
| Enters |
|
|
| Removes node A |
|
|
| Removes node B |
|
|
| Enqueues node A back into the queue |
|
|
| Removes node C |
|
|
| Enqueues a new node D |
|
|
| Thread 1 starts execution | undefined {} |
According to the sequence of events in this table, head will now point to memory that was freed. Also, if reclaimed memory is returned to the operating system (for example, using munmap()), access to such memory locations can result in fatal access violation errors. The ABA problem occurred because of the internal reuse of nodes that have been popped off the list or the reclamation of memory occupied by removed nodes.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Hazard pointers types and structure */
structure HPRecType {
HP[K]:*Nodetype;
Next:*HPRecType;
}
/* The header of the HPRec list */
HeadHPRec: *HPRecType;
/* Per-thread private variables */
rlist: listType; /* Initially empty */
rcount: integer; /* Initially 0 */
/* The retired node routine */
RetiredNode(node:*NodeType) {
rlist.push(node);
rcount++;
if(rcount >= R)
Scan(HeadHPRec);
}
/* The scan routine */
Scan(head:*HPRecType) {
/* Stage 1: Scan HP list and insert non-null values in plist */
plist.init();
hprec<-head;
while (hprec != nullNULL) {
for (i<-0 to K-1) {
hptr<-hprec^HP[i];
if (hptr!= nullNULL)
plist.insert(hptr);
}
hprec<-hprec^Next;
}
/* Stage 2: search plist */
tmplist<-rlist.popAll();
rcount<-0;
node<-tmplist.pop();
while (node != nullNULL) {
if (plist.lookup(node)) {
rlist.push(node);
rcount++;
}
else {
PrepareForReuse(node);
}
node<-tmplist.pop();
}
plist.free();
}
|
...
The likelihood of having a race condition is low. Once the race condition occurs, the reading memory that has already been freed can lead to abnormal program termination or unintended information disclosure.
Recommendation | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level | |
|---|---|---|---|
CON09-C | Medium | Unlikely | No |
No | P2 | L3 |
Automated Detection
| Tool | Version | Checker | Description |
|---|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
| [Apiki 2006] | "Lock-Free Programming on AMD Multi-Core System" |
| [Asgher 2000] | "Practical Lock-Free Buffers" |
| [Michael 2004] | "Hazard Pointers" |
...
...