This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]

From: DJ Delorie <dj at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: libc-alpha at sourceware dot org
Date: Mon, 26 Nov 2018 13:50:37 -0500
Subject: Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]

 #if USE_TCACHE
   {
     size_t tc_idx = csize2tidx (size);

So from the above, we have a tc_idx but haven't verified it yet, then...

-	for (tmp = tcache->entries[tc_idx];

... use it here, crash.  Sigh.

The rest of the scan logic should be OK; if there's a crash while doing...

-	     tmp = tmp->next)

... then the tcache itself is corrupt.

-    if (tcache
-	&& tc_idx < mp_.tcache_bins

These two tests should move up, but...

-	&& tcache->counts[tc_idx] < mp_.tcache_count)

... this one stays, so we scan full tcache bins still.


Resulting in...

 #if USE_TCACHE
   {
     size_t tc_idx = csize2tidx (size);
+    if (tcache != NULL && tc_idx < mp_.tcache_bins)

We've validated that we have a tcache and the chunk size is valid.  This
assumes that mp_.tcache_bins is <= the hardcoded upper limit, but we
enforce that elsewhere.

+	if (__glibc_unlikely (e->key == tcache))

The "&& tcache" part is no longer needed here.

+	if (tcache->counts[tc_idx] < mp_.tcache_count)

...and this test is simplified.


LGTM.

Sheepishly-Reviewed-by: DJ Delorie <dj@redhat.com>

References:
- [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]