Bug 678515

Summary: User can access freed members of a dead thread
Product: [Mono] Mono: Runtime Reporter: Rodrigo Kumpera <rkumpera>
Component: miscAssignee: Mono Bugs <mono-bugs>
Status: RESOLVED FIXED QA Contact: Mono Bugs <mono-bugs>
Severity: Critical    
Priority: P5 - None CC: meissner, security-team
Version: SVN   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Rodrigo Kumpera 2011-03-10 13:15:09 UTC 
Threads are not properly cleaned up on finalization so if one get resurrected it's possible to see pointer to freed memory or similar.

I haven't figured out the whole extension of the problem, but so far one Thread.Name is affected.
Comment 1 Rodrigo Kumpera 2011-03-10 13:17:22 UTC 
Created attachment 418589 [details]
Fix against trunk for Thread.Name 

Fixes, on trunk, user been able to see freed memory.
Comment 2 Rodrigo Kumpera 2011-03-10 13:18:35 UTC 
Created attachment 418590 [details]
Test case

This is the baseline test that exposes a resurrected and cleaned up thread.

The test won't crash, but the code will access freed memory.
Comment 3 Rodrigo Kumpera 2011-03-10 13:19:13 UTC 
CC'ng spouliot.
Comment 4 Rodrigo Kumpera 2011-03-10 13:37:05 UTC 
Created attachment 418600 [details]
Fixes 2.6

This patch fixes 2.6.
Comment 5 Rodrigo Kumpera 2011-03-10 13:39:16 UTC 
Sebastien, I reviewed all relevant code for this and, AFAICT, this is it.

The worst that can happen is a crash or information disclosure as the memory is only read from.
Comment 6 Sebastien Pouliot 2011-04-06 17:30:55 UTC 
CVE-2011-0992: information leak due to improper thread finalization

committed to master as 722f9890f09aadfc37ae479e7d946d5fc5ef7b91
Comment 7 Marcus Meissner 2011-04-06 18:03:20 UTC 
made comments public for reference. CVE-2011-0992
Comment 8 Ludwig Nussel 2011-04-08 07:17:12 UTC 
released