This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] malloc: Ensure tcache count won't overflow
- From: DJ Delorie <dj at redhat dot com>
- To: Adam Maris <amaris at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Thu, 15 Nov 2018 17:15:44 -0500
- Subject: Re: [PATCH] malloc: Ensure tcache count won't overflow
I had a bit of a discussion with Adam before he posted this, so I'm a
bit biased, but +1 from me.
Biased-Review-by: DJ Delorie <dj@redhat.com>
Adam Maris <amaris@redhat.com> writes:
> - assert (tcache->entries[tc_idx] > 0);
> + assert (tcache->counts[tc_idx] > 0);
Honestly, I don't know what I was thinking when I originally wrote that,
but IMHO this is obviously correct in hindsight. We don't compare
pointers with signed integers, and if tcache->entries[tc_idx] were NULL,
it would segfaulted in the next line anyway:
> tcache->entries[tc_idx] = e->next;
> + void* p = malloc(SZ);
> + void* q = malloc(SZ);
> +
> + free(p);
> + free(q);
tcache contains q -> p -> NULL
> + // corrupt the next pointer of last chunk in tcache
> + memcpy(p, &q, sizeof(void*));
p->next now points to the same chunk q points to, so tcache now
contains:
q -> p -> q -> p -> <etc>
> + malloc(SZ);
> + malloc(SZ);
> + malloc(SZ);
Since there are only two real chunks in tcache, one of these should
detect it...