[PATCH] malloc: Validate tc_idx before checking for double-frees in tcache [BZ #23907]
DJ Delorie
dj@redhat.com
Mon Nov 26 18:51:00 GMT 2018
Florian Weimer <fweimer@redhat.com> writes:
> One more note. This check
>
>> + /* This test succeeds on double free. However, we don't 100%
>> + trust it (it also matches random payload data at a 1 in
>> + 2^<size_t> chance), so verify it's not an unlikely
>> + coincidence before aborting. */
>> + if (__glibc_unlikely (e->key == tcache))
>
> makes it difficult to write a regression test for this because we cannot
> easily determine the tcache cookie value from the test. Otherwise we
> could use that to spray the heap and likely trigger this issue quite
> reliably.
Free one chunk into tcache and read the key from it.
More information about the Libc-alpha
mailing list