This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] malloc: Ensure tcache count won't overflow

From: DJ Delorie <dj at redhat dot com>
To: Adam Maris <amaris at redhat dot com>
Cc: libc-alpha at sourceware dot org
Date: Thu, 15 Nov 2018 17:15:44 -0500
Subject: Re: [PATCH] malloc: Ensure tcache count won't overflow

I had a bit of a discussion with Adam before he posted this, so I'm a
bit biased, but +1 from me.

Biased-Review-by: DJ Delorie <dj@redhat.com>

Adam Maris <amaris@redhat.com> writes:
> -  assert (tcache->entries[tc_idx] > 0);
> +  assert (tcache->counts[tc_idx] > 0);

Honestly, I don't know what I was thinking when I originally wrote that,
but IMHO this is obviously correct in hindsight.  We don't compare
pointers with signed integers, and if tcache->entries[tc_idx] were NULL,
it would segfaulted in the next line anyway:

>    tcache->entries[tc_idx] = e->next;
> +  void* p = malloc(SZ);
> +  void* q = malloc(SZ);
> +
> +  free(p);
> +  free(q);

tcache contains q -> p -> NULL

> +  // corrupt the next pointer of last chunk in tcache
> +  memcpy(p, &q, sizeof(void*));

p->next now points to the same chunk q points to, so tcache now
contains:

q -> p -> q -> p -> <etc>

> +  malloc(SZ);
> +  malloc(SZ);
> +  malloc(SZ);

Since there are only two real chunks in tcache, one of these should
detect it...

References:
- [PATCH] malloc: Ensure tcache count won't overflow
  - From: Adam Maris

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]