3313 – madvise(M_MXFAST,0) sets up a crash

Bug 3313 - madvise(M_MXFAST,0) sets up a crash

Summary: madvise(M_MXFAST,0) sets up a crash

Status:	RESOLVED FIXED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-10-06 00:36 UTC by Petr Baudis
Modified:	2016-08-22 13:45 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Baudis 2006-10-06 00:36:34 UTC

When a program calls madvise(M_MXFAST, 0), it will crash the next time it tries
to do some memory allocation or get into an infinite loop when it remadvises
M_MXFAST to some other value. The problem probably stems from the handling of
the first two "unindexable" bins (although I'm not sure right now how are they
unindexable) - madvise(M_MXFAST, 0) will set the max_fast to SMALLBIN_WIDTH but
fastbin_index(SMALLBIN_WIDTH) == -1, which ain't any good when you use that as
an index to the buckets array.

Comment 1 Ulrich Drepper 2006-10-13 20:53:57 UTC

I couldn't reproduce the problem but there were two things clearly wrong.  Both
were not introduced by the renumbering of the fast bins, they existed before. 
But the renumbering exposed the problems.

The CVS code should be fix.  Try it and report back.