On Mon, Jun 27, 2016 at 09:33:40AM -0600, Ted Unangst wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: [email protected] 2016/06/27 09:33:40
>
> Modified files:
> lib/libc/stdlib: malloc.c
>
> Log message:
> defer munmap to after unlocking malloc. this can (unfortunately) be an
> expensive syscall, and we don't want to tie up other threads. there's no
> need to hold the lock, so defer it to afterwards.
> from Michael McConville
> ok deraadt
There's a race condtion here. The assignments to d_unmap_me and
unmap_me_sz are not atomic. A thread leaving could call munmap(2) on
partiallly assigned data.
-Otto
