[PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]

[DJ Delorie]

Florian Weimer <fweimer@redhat.com> writes:
> One more note.  This check
>
>> +	/* This test succeeds on double free.  However, we don't 100%
>> +	   trust it (it also matches random payload data at a 1 in
>> +	   2^<size_t> chance), so verify it's not an unlikely
>> +	   coincidence before aborting.  */
>> +	if (__glibc_unlikely (e->key == tcache))
>
> makes it difficult to write a regression test for this because we cannot
> easily determine the tcache cookie value from the test.  Otherwise we
> could use that to spray the heap and likely trigger this issue quite
> reliably.

Free one chunk into tcache and read the key from it.