This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
- From: DJ Delorie <dj at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Mon, 26 Nov 2018 13:51:17 -0500
- Subject: Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
Florian Weimer <fweimer@redhat.com> writes:
> One more note. This check
>
>> + /* This test succeeds on double free. However, we don't 100%
>> + trust it (it also matches random payload data at a 1 in
>> + 2^<size_t> chance), so verify it's not an unlikely
>> + coincidence before aborting. */
>> + if (__glibc_unlikely (e->key == tcache))
>
> makes it difficult to write a regression test for this because we cannot
> easily determine the tcache cookie value from the test. Otherwise we
> could use that to spray the heap and likely trigger this issue quite
> reliably.
Free one chunk into tcache and read the key from it.