From 83c51fffe6bad36a7143c30946ac5445f9ca4c56 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Tue, 22 Jan 2019 16:22:45 +0100
Subject: [PATCH] Cygwin: posix timers: allocate timer_tracker on system heap.

Allocating on the cygheap would copy information of the tracker into
the child process.  A forked child knows the timer id and could simply
still access the (free'd but still valid) timer_tracker on the heap,
which is dangerous and very certainly doesn't reflect POSIX semantics.

Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
 winsup/cygwin/cygheap_malloc.h | 3 +--
 winsup/cygwin/posix_timer.cc   | 5 +++--
 winsup/cygwin/posix_timer.h    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/winsup/cygwin/cygheap_malloc.h b/winsup/cygwin/cygheap_malloc.h
index cd545c35d..74f0bb619 100644
--- a/winsup/cygwin/cygheap_malloc.h
+++ b/winsup/cygwin/cygheap_malloc.h
@@ -34,8 +34,7 @@ enum cygheap_types
   HEAP_2_DLL,
   HEAP_MMAP,
   HEAP_2_MAX = 200,
-  HEAP_3_FHANDLER,
-  HEAP_3_TIMER
+  HEAP_3_FHANDLER
 };
 
 extern "C" {
diff --git a/winsup/cygwin/posix_timer.cc b/winsup/cygwin/posix_timer.cc
index 8651c226c..e969dcc78 100644
--- a/winsup/cygwin/posix_timer.cc
+++ b/winsup/cygwin/posix_timer.cc
@@ -414,10 +414,11 @@ timer_tracker::settime (int flags, const itimerspec *new_value,
   return ret;
 }
 
-/* The timers are stored on the cygheap. */
+/* The timers are stored on the system heap in order to avoid accidental
+   leaking of timer ids into the child process. */
 #define cnew(name, ...) \
   ({ \
-    void* ptr = (void*) ccalloc (HEAP_3_TIMER, 1, sizeof (name)); \
+    void* ptr = (void*) HeapAlloc (GetProcessHeap (), 0, sizeof (name)); \
     ptr ? new (ptr) name (__VA_ARGS__) : NULL; \
   })
 
diff --git a/winsup/cygwin/posix_timer.h b/winsup/cygwin/posix_timer.h
index 04a383fd6..f69a179c3 100644
--- a/winsup/cygwin/posix_timer.h
+++ b/winsup/cygwin/posix_timer.h
@@ -30,7 +30,7 @@ class timer_tracker
 
  public:
   void *operator new (size_t, void *p) __attribute__ ((nothrow)) {return p;}
-  void operator delete (void *p) { cfree (p); }
+  void operator delete (void *p) { HeapFree (GetProcessHeap (), 0, p); }
   timer_tracker (clockid_t, const sigevent *);
   ~timer_tracker ();
   inline bool is_timer_tracker () const { return magic == TT_MAGIC; }