This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
- From: DJ Delorie <dj at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Mon, 26 Nov 2018 13:50:37 -0500
- Subject: Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
#if USE_TCACHE
{
size_t tc_idx = csize2tidx (size);
So from the above, we have a tc_idx but haven't verified it yet, then...
- for (tmp = tcache->entries[tc_idx];
... use it here, crash. Sigh.
The rest of the scan logic should be OK; if there's a crash while doing...
- tmp = tmp->next)
... then the tcache itself is corrupt.
- if (tcache
- && tc_idx < mp_.tcache_bins
These two tests should move up, but...
- && tcache->counts[tc_idx] < mp_.tcache_count)
... this one stays, so we scan full tcache bins still.
Resulting in...
#if USE_TCACHE
{
size_t tc_idx = csize2tidx (size);
+ if (tcache != NULL && tc_idx < mp_.tcache_bins)
We've validated that we have a tcache and the chunk size is valid. This
assumes that mp_.tcache_bins is <= the hardcoded upper limit, but we
enforce that elsewhere.
+ if (__glibc_unlikely (e->key == tcache))
The "&& tcache" part is no longer needed here.
+ if (tcache->counts[tc_idx] < mp_.tcache_count)
...and this test is simplified.
LGTM.
Sheepishly-Reviewed-by: DJ Delorie <dj@redhat.com>