This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]


* Florian Weimer:

> The previous check could read beyond the end of the tcache entry
> array.  If the e->key == tcache cookie check happened to pass, this
> would result in crashes.
>
> 2018-11-22  Florian Weimer  <fweimer@redhat.com>
>
> 	[BZ #23907]
> 	* malloc/malloc.c (_int_free): Validate tc_idx before checking for
> 	double-frees.

One more note.  This check

> +	/* This test succeeds on double free.  However, we don't 100%
> +	   trust it (it also matches random payload data at a 1 in
> +	   2^<size_t> chance), so verify it's not an unlikely
> +	   coincidence before aborting.  */
> +	if (__glibc_unlikely (e->key == tcache))

makes it difficult to write a regression test for this because we cannot
easily determine the tcache cookie value from the test.  Otherwise we
could use that to spray the heap and likely trigger this issue quite
reliably.

Thanks,
Florian


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]