From 3afda5f0076beca786ecbe90875828eb6988a964 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 30 Nov 2010 22:30:12 +0100 Subject: [PATCH] sort -u: fix a thread-race pointer corruption bug * src/sort.c (write_unique): Save the entire "struct line", not just a pointer to one. Otherwise, with a multi-thread run, sometimes, with some inputs, fillbuf would would win a race and clobber a "saved->text" pointer in one thread just before it was dereferenced in a comparison in another thread. * NEWS (Bug fixes): Mention it. --- NEWS | 3 +++ src/sort.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 2d3f1f3..79484c1 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,9 @@ GNU coreutils NEWS -*- outline -*- od now prints floating-point numbers without losing information, and it no longer omits spaces between floating-point columns in some cases. + sort -u with at least two threads could attempt to read through a + corrupted pointer. [bug introduced in coreutils-8.6] + ** New features split accepts the --number option to generate a specific number of files. diff --git a/src/sort.c b/src/sort.c index 7e25f6a..1aa1eb4 100644 --- a/src/sort.c +++ b/src/sort.c @@ -3226,13 +3226,13 @@ queue_pop (struct merge_node_queue *queue) static void write_unique (struct line const *line, FILE *tfp, char const *temp_output) { - static struct line const *saved = NULL; + static struct line saved; if (!unique) write_line (line, tfp, temp_output); - else if (!saved || compare (line, saved)) + else if (!saved.text || compare (line, &saved)) { - saved = line; + saved = *line; write_line (line, tfp, temp_output); } } -- 2.7.4