diff options
| author | Bernd Schubert <bschubert@ddn.com> | 2024-03-20 00:07:44 +0100 |
|---|---|---|
| committer | Bernd Schubert <bschubert@ddn.com> | 2024-03-20 12:32:39 +0100 |
| commit | 982743f0cad20de044d9767c7c8c46887fcb80c3 (patch) | |
| tree | f29ec29ca940508fcd8a182135ffb68118795e2e /test | |
| parent | f041818c633645754ddc1ceabb002805739be7aa (diff) | |
| download | libfuse-982743f0cad20de044d9767c7c8c46887fcb80c3.tar.gz | |
Fix use-after-free in example/poll.c
As noticed by valgrind in issue #907 example/poll.c
triggers a use-after-free
==85200== Thread 2:
==85200== Invalid read of size 4
==85200== at 0x485E54A: send_notify_iov (fuse_lowlevel.c:2267)
==85200== by 0x485E54A: fuse_lowlevel_notify_poll (fuse_lowlevel.c:2289)
==85200== by 0x1096F2: fsel_producer (poll.c:245)
==85200== by 0x4897EA6: start_thread (pthread_create.c:477)
==85200== by 0x49ADA6E: clone (clone.S:95)
==85200== Address 0x5291d68 is 392 bytes inside a block of size 920 free'd
==85200== at 0x48399AB: free (vg_replace_malloc.c:538)
==85200== by 0x485A12C: fuse_destroy (fuse.c:5103)
==85200== by 0x486220F: fuse_main_real (helper.c:389)
==85200== by 0x1091D6: main (poll.c:288)
==85200== Block was alloc'd at
==85200== at 0x483AB65: calloc (vg_replace_malloc.c:760)
==85200== by 0x485BAA0: fuse_session_new (fuse_lowlevel.c:3036)
==85200== by 0x4859AF2: fuse_new@@FUSE_3.1 (fuse.c:4966)
==85200== by 0x4862129: fuse_main_real (helper.c:345)
==85200== by 0x1091D6: main (poll.c:288)
Issue is that the "fsel_producer" thread is still active after
fuse_destroy - it gets destructed too late.
Diffstat (limited to 'test')
0 files changed, 0 insertions, 0 deletions