Fix uaf in DestroyThread function

upstream cherrypick : 14f609a711f61c0724
From: Konstantin Baladurin <k.baladurin@partner.samsung.com>
Date: Fri, 8 Dec 2017 15:28:40 +0300
Subject: Fix uaf in DestroyThread function.

Mark thread's buffers as no longer owned before calling
Thread::OnThreadTerminate because thread can delete itself in
this method.

Change-Id: Ie897af344db4021c015deb0b2e72ac642d2e0c6e
Signed-off-by: chunseok lee <chunseok.lee@samsung.com>

diff --git a/packaging/0001-Fix-uaf-in-DestroyThread-function.patch b/packaging/0001-Fix-uaf-in-DestroyThread-function.patch
new file mode 100644 (file)
index 0000000..d41473e
--- /dev/null
+++ b/packaging/0001-Fix-uaf-in-DestroyThread-function.patch
@@ -0,0 +1,52 @@
+From 26319006acafde23118c2fd566525a8c2864e748 Mon Sep 17 00:00:00 2001
+From: chunseok lee <chunseok.lee@samsung.com>
+Date: Wed, 13 Dec 2017 12:24:34 +0900
+Subject: [PATCH] Fix uaf in DestroyThread function
+
+upstream cherrypick : 14f609a711f61c0724
+From: Konstantin Baladurin <k.baladurin@partner.samsung.com>
+Date: Fri, 8 Dec 2017 15:28:40 +0300
+Subject: Fix uaf in DestroyThread function.
+
+Mark thread's buffers as no longer owned before calling
+Thread::OnThreadTerminate because thread can delete itself in
+this method.
+
+Signed-off-by: chunseok lee <chunseok.lee@samsung.com>
+---
+ src/vm/threads.cpp | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/vm/threads.cpp b/src/vm/threads.cpp
+index df8916c..59633fe 100644
+--- a/src/vm/threads.cpp
++++ b/src/vm/threads.cpp
+@@ -987,12 +987,6 @@ void DestroyThread(Thread *th)
+ #endif // _TARGET_X86_
+ #endif // WIN64EXCEPTIONS
+ 
+-    if (g_fEEShutDown == 0) 
+-    {
+-        th->SetThreadState(Thread::TS_ReportDead);
+-        th->OnThreadTerminate(FALSE);
+-    }
+-
+ #ifdef FEATURE_PERFTRACING
+     // Before the thread dies, mark its buffers as no longer owned
+     // so that they can be cleaned up after the thread dies.
+@@ -1002,6 +996,12 @@ void DestroyThread(Thread *th)
+         pBufferList->SetOwnedByThread(false);
+     }
+ #endif // FEATURE_PERFTRACING
++
++    if (g_fEEShutDown == 0)
++    {
++        th->SetThreadState(Thread::TS_ReportDead);
++        th->OnThreadTerminate(FALSE);
++    }
+ }
+ 
+ //-------------------------------------------------------------------------
+-- 
+2.7.4
+

diff --git a/packaging/coreclr.spec b/packaging/coreclr.spec
index acebdf8..1af5bba 100644 (file)
--- a/packaging/coreclr.spec
+++ b/packaging/coreclr.spec
@@ -23,7 +23,7 @@ Source1000: downloaded_files.tar.gz
 Source1001: %{name}.manifest
 Source1002: libicu.tar.gz
 Source1003: dep_libs.tar.gz
-# Gbp-Ignore-Patches: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
+# Gbp-Ignore-Patches: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
 Patch0:     0001-Add-project.assets.json-files.patch
 Patch1:     0001-ARM-Linux-Support-unaligned-struct-read-write-11290.patch
 Patch2:     0002-x86-Linux-Thread-safe-UMThunkMarshInfo-RunTimeInit-1.patch
@@ -62,7 +62,7 @@ Patch34:     0001-Fix-assert-in-HelperMethodFrame-UpdateRegDisplay-142.patch
 Patch35:     0001-Fix-clrstack-command-of-lldb-sosplugin-on-x86-13973.patch
 Patch36:     0001-Fix-typo-in-SetDebuggerREGDISPLAYFromREGDISPLAY-1422.patch
 Patch37:     0001-Use-addresses-without-sign-extension-in-lldb-plugin-.patch
-
+Patch38:     0001-Fix-uaf-in-DestroyThread-function.patch
 
 ExcludeArch: aarch64
 
@@ -199,6 +199,7 @@ cp %{SOURCE1001} .
 %patch35 -p1
 %patch36 -p1
 %patch37 -p1
+%patch38 -p1
 
 %if 0%{skipmscorlib}
 %else