This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]

From: DJ Delorie <dj at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: libc-alpha at sourceware dot org
Date: Mon, 26 Nov 2018 13:51:17 -0500
Subject: Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]

Florian Weimer <fweimer@redhat.com> writes:
> One more note.  This check
>
>> +	/* This test succeeds on double free.  However, we don't 100%
>> +	   trust it (it also matches random payload data at a 1 in
>> +	   2^<size_t> chance), so verify it's not an unlikely
>> +	   coincidence before aborting.  */
>> +	if (__glibc_unlikely (e->key == tcache))
>
> makes it difficult to write a regression test for this because we cannot
> easily determine the tcache cookie value from the test.  Otherwise we
> could use that to spray the heap and likely trigger this issue quite
> reliably.

Free one chunk into tcache and read the key from it.

References:
- Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]