Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
API:
RtlpReleaseWaitBlockLockExclusive
RtlpAcquireSRWLockSharedWait
Problem Description
Thread A first acquires the write-exclusive lock, and then 10 threads attempt to acquire the read-shared lock, causing them to enter a wait state. When thread A releases the write lock, the following occurs:
- The RTL_SRWLOCK_CONTENDED flag is not set: This results in the waiting reader threads not checking their wake value to resume execution, causing their stack variable WakeChain to become invalid.
- Accessing an invalid WakeChain: After thread A sets NewValue = ((LONG_PTR)FirstWaitBlock->SharedCount << RTL_SRWLOCK_BITS) | RTL_SRWLOCK_SHARED | RTL_SRWLOCK_OWNED;, it still accesses WakeChain even though the waiting reader threads have resumed and their stack variable WakeChain is no longer valid, leading to a crash.
WakeChain = FirstWaitBlock->SharedWakeChain;
|
do |
{
|
NextWake = WakeChain->Next;
|
|
|
(void)InterlockedOr((PLONG)&WakeChain->Wake, |
TRUE);
|
|
|
WakeChain = NextWake;
|
} while (WakeChain != NULL); |
This sequence results in the crash because WakeChain is accessed after the threads holding it have resumed and the variable is no longer valid.