Bug 22159

Summary:	malloc: MALLOC_CHECK_ broken with --enable-tunables=no
Product:	glibc	Reporter:	Tulio Magno Quites Machado Filho <tuliom>
Component:	malloc	Assignee:	Not yet assigned to anyone <unassigned>
Status:	RESOLVED FIXED
Severity:	normal	CC:	fweimer
Priority:	P2	Flags:	fweimer: security-
Version:	2.27
Target Milestone:	2.27
See Also:	https://sourceware.org/bugzilla/show_bug.cgi?id=21754
Host:		Target:
Build:		Last reconfirmed:

Description Tulio Magno Quites Machado Filho 2017-09-19 17:45:13 UTC

The following tests are segfaulting when glibc is configured with --enable-tunables=no:

FAIL: elf/tst-env-setuid
FAIL: malloc/tst-malloc-usable
FAIL: malloc/tst-malloc-usable-static
FAIL: malloc/tst-mcheck

I reproduced this issue on ppc, ppc64, ppc64le and x86_64.

I bisected these failures to:

commit ac3ed168d0c0b2b702319ac0db72c9b475a8c72e
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Aug 30 19:29:38 2017 +0200

    malloc: Remove check_action variable [BZ #21754]
    
    Clean up calls to malloc_printerr and trim its argument list.
    
    This also removes a few bits of work done before calling
    malloc_printerr (such as unlocking operations).
    
    The tunable/environment variable still enables the lightweight
    additional malloc checking, but mallopt (M_CHECK_ACTION)
    no longer has any effect.

Comment 1 Sourceware Commits 2017-10-17 17:57:50 UTC

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  3381be5cdef2e43949db12f66a5a3ec23b2c4c90 (commit)
      from  e956075a5a2044d05ce48b905b10270ed4a63e87 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3381be5cdef2e43949db12f66a5a3ec23b2c4c90

commit 3381be5cdef2e43949db12f66a5a3ec23b2c4c90
Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Tue Oct 17 18:55:16 2017 +0100

    Improve malloc initialization sequence
    
    The current malloc initialization is quite convoluted. Instead of
    sometimes calling malloc_consolidate from ptmalloc_init, call
    malloc_init_state early so that the main_arena is always initialized.
    The special initialization can now be removed from malloc_consolidate.
    This also fixes BZ #22159.
    
    Check all calls to malloc_consolidate and remove calls that are
    redundant initialization after ptmalloc_init, like in int_mallinfo
    and __libc_mallopt (but keep the latter as consolidation is required for
    set_max_fast).  Update comments to improve clarity.
    
    Remove impossible initialization check from _int_malloc, fix assert
    in do_check_malloc_state to ensure arena->top != 0.  Fix the obvious bugs
    in do_check_free_chunk and do_check_remalloced_chunk to enable single
    threaded malloc debugging (do_check_malloc_state is not thread safe!).
    
    	[BZ #22159]
    	* malloc/arena.c (ptmalloc_init): Call malloc_init_state.
    	* malloc/malloc.c (do_check_free_chunk): Fix build bug.
    	(do_check_remalloced_chunk): Fix build bug.
    	(do_check_malloc_state): Add assert that checks arena->top.
    	(malloc_consolidate): Remove initialization.
    	(int_mallinfo): Remove call to malloc_consolidate.
    	(__libc_mallopt): Clarify why malloc_consolidate is needed.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |   11 +++
 malloc/arena.c  |   13 +---
 malloc/malloc.c |  197 ++++++++++++++++++++++++------------------------------
 3 files changed, 103 insertions(+), 118 deletions(-)

Comment 2 Florian Weimer 2017-10-18 10:01:01 UTC

Fixed for 2.27.