This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] [v3] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]
- From: Mel Gorman <mgorman at suse dot de>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>, Carlos O'Donell <carlos at redhat dot com>
- Cc: Andreas Schwab <schwab at linux-m68k dot org>, libc-alpha at sourceware dot org
- Date: Mon, 22 Jun 2015 09:54:07 +0100
- Subject: Re: [PATCH] [v3] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]
- Authentication-results: sourceware.org; auth=none
- References: <20150608123613 dot GO26425 at suse dot de> <20150615080224 dot GJ26425 at suse dot de>
On Mon, Jun 15, 2015 at 09:02:24AM +0100, Mel Gorman wrote:
> On Mon, Jun 08, 2015 at 01:36:13PM +0100, Mel Gorman wrote:
> > mksquashfs was reported in openSUSE to be causing segmentation faults when
> > creating installation images. Testing showed that mksquashfs sometimes
> > failed and could be reproduced within 10 attempts. The core dump looked
> > like the heap top was corrupted and was pointing to an unmapped area. In
> > other cases, this has been due to an application corrupting glibc structures
> > but mksquashfs appears to be fine in this regard.
> >
> > The problem is that heap_trim is "growing" the top into unmapped space.
> > If the top chunk == MINSIZE then top_area is -1 and this check does not
> > behave as expected due to a signed/unsigned comparison
> >
> > if (top_area <= pad)
> > return 0;
> >
> > The next calculation extra = ALIGN_DOWN(top_area - pad, pagesz) calculates
> > extra as a negative number which also is unnoticed due to a signed/unsigned
> > comparison. We then call shrink_heap(heap, negative_number) which crashes
> > later. This patch adds a simple check against MINSIZE to make sure extra
> > does not become negative. It adds a cast to hint to the reader that this
> > is a signed vs unsigned issue.
> >
> > Without the patch, mksquash fails within 10 attempts. With it applied, it
> > completed 1000 times without error. The standard test suite "make check"
> > showed no changes in the summary of test results.
> >
> > 2015-06-08 Mel Gorman <mgorman@suse.de>
> >
> > [BZ #18502]
> > * malloc/arena.c: Avoid corruption of the top of heaps for threads
>
> Ping as it's been one week since the last submission.
>
Another ping as it's been one week since the last ping.
--
Mel Gorman
SUSE Labs