This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch master updated. glibc-2.28.9000-317-gaffec03


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  affec03b713c82c43a5b025dddc21bde3334f41e (commit)
      from  8ae74eadb60eb36424e4605939cef5fc966724be (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=affec03b713c82c43a5b025dddc21bde3334f41e

commit affec03b713c82c43a5b025dddc21bde3334f41e
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Nov 26 20:06:37 2018 +0100

    malloc: tcache: Validate tc_idx before checking for double-frees [BZ #23907]
    
    The previous check could read beyond the end of the tcache entry
    array.  If the e->key == tcache cookie check happened to pass, this
    would result in crashes.

diff --git a/ChangeLog b/ChangeLog
index 77fb773..84ddd68 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-11-26  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23907]
+	* malloc/malloc.c (_int_free): Validate tc_idx before checking for
+	double-frees.
+
 2018-11-26  Rafael �vila de Espíndola  <rafael@espindo.la>
 
 	[BZ #19767]
diff --git a/malloc/malloc.c b/malloc/malloc.c
index f730d7a..c9b2c6e 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4225,33 +4225,33 @@ _int_free (mstate av, mchunkptr p, int have_lock)
 #if USE_TCACHE
   {
     size_t tc_idx = csize2tidx (size);
-
-    /* Check to see if it's already in the tcache.  */
-    tcache_entry *e = (tcache_entry *) chunk2mem (p);
-
-    /* This test succeeds on double free.  However, we don't 100%
-       trust it (it also matches random payload data at a 1 in
-       2^<size_t> chance), so verify it's not an unlikely coincidence
-       before aborting.  */
-    if (__glibc_unlikely (e->key == tcache && tcache))
+    if (tcache != NULL && tc_idx < mp_.tcache_bins)
       {
-	tcache_entry *tmp;
-	LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
-	for (tmp = tcache->entries[tc_idx];
-	     tmp;
-	     tmp = tmp->next)
-	  if (tmp == e)
-	    malloc_printerr ("free(): double free detected in tcache 2");
-	/* If we get here, it was a coincidence.  We've wasted a few
-	   cycles, but don't abort.  */
-      }
+	/* Check to see if it's already in the tcache.  */
+	tcache_entry *e = (tcache_entry *) chunk2mem (p);
+
+	/* This test succeeds on double free.  However, we don't 100%
+	   trust it (it also matches random payload data at a 1 in
+	   2^<size_t> chance), so verify it's not an unlikely
+	   coincidence before aborting.  */
+	if (__glibc_unlikely (e->key == tcache))
+	  {
+	    tcache_entry *tmp;
+	    LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
+	    for (tmp = tcache->entries[tc_idx];
+		 tmp;
+		 tmp = tmp->next)
+	      if (tmp == e)
+		malloc_printerr ("free(): double free detected in tcache 2");
+	    /* If we get here, it was a coincidence.  We've wasted a
+	       few cycles, but don't abort.  */
+	  }
 
-    if (tcache
-	&& tc_idx < mp_.tcache_bins
-	&& tcache->counts[tc_idx] < mp_.tcache_count)
-      {
-	tcache_put (p, tc_idx);
-	return;
+	if (tcache->counts[tc_idx] < mp_.tcache_count)
+	  {
+	    tcache_put (p, tc_idx);
+	    return;
+	  }
       }
   }
 #endif

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    6 ++++++
 malloc/malloc.c |   52 ++++++++++++++++++++++++++--------------------------
 2 files changed, 32 insertions(+), 26 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]