This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
- From: Florian Weimer <fweimer at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Thu, 22 Nov 2018 15:53:19 +0100
- Subject: Re: [PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
- References: <87zhu1z1ja.fsf@oldenburg.str.redhat.com>
* Florian Weimer:
> The previous check could read beyond the end of the tcache entry
> array. If the e->key == tcache cookie check happened to pass, this
> would result in crashes.
>
> 2018-11-22 Florian Weimer <fweimer@redhat.com>
>
> [BZ #23907]
> * malloc/malloc.c (_int_free): Validate tc_idx before checking for
> double-frees.
One more note. This check
> + /* This test succeeds on double free. However, we don't 100%
> + trust it (it also matches random payload data at a 1 in
> + 2^<size_t> chance), so verify it's not an unlikely
> + coincidence before aborting. */
> + if (__glibc_unlikely (e->key == tcache))
makes it difficult to write a regression test for this because we cannot
easily determine the tcache cookie value from the test. Otherwise we
could use that to spray the heap and likely trigger this issue quite
reliably.
Thanks,
Florian