Description
openedon Jun 9, 2020
I discovered this while trying to call sentry_init, sentry_shutdown and sentry_capture_event multiple times from multiple threads at the same time during unit tests, not a valid use-case scenario of this library.
But I can imagine a valid use case to be when sentry_shutdown is called while other threads are still busy using sentry_capture_event.
Basically what happens is that functions like sentry_capture_event do this:
sentry-native/src/sentry_core.c
Line 257 in 9651561
They check if it's valid here:
sentry-native/src/sentry_core.c
Line 258 in 9651561
And then use it multiple times here:
sentry-native/src/sentry_core.c
Lines 282 to 285 in 9651561
The issue arises when on a different thread sentry_shutdown is called which invalidates g_options and makes access to it access freed memory.
So the missing part here to me seems a missing lock around g_options_mutex.
Another example is sentry_start_session:
sentry-native/src/sentry_session.c
Lines 206 to 214 in 9651561
So
SENTRY_WITH_SCOPE_MUT locks g_lock:sentry-native/src/sentry_scope.c
Lines 85 to 90 in 9651561
But
sentry_shutdown locks a different mutex, g_options_mutex:sentry-native/src/sentry_core.c
Lines 142 to 145 in 9651561
Which doesn't block
sentry_start_session from using already freed memory:sentry-native/src/sentry_session.c
Line 54 in 9651561
sentry-native/src/sentry_session.c
Lines 64 to 65 in 9651561
There are more offenders similar to those.
Is there an intention to account for this scenario?