[PATCH] malloc tcache: Debugger now sees the address of the corrupted chunk.
DJ Delorie
dj@redhat.com
Sat Dec 12 03:17:23 GMT 2020
Hmm... OK, I think I get it. It's not the 'e' we know, its the 'e' from
the previous call to tcache_get().
So basically, when we remove a chunk from the tcache, we want to
validate the pointer we're leaving behind?
static __always_inline void *
tcache_get (size_t tc_idx)
{
tcache_entry *e = tcache->entries[tc_idx];
if (__glibc_unlikely (!aligned_OK (e)))
malloc_printerr ("malloc(): unaligned tcache chunk detected");
tcache->entries[tc_idx] = REVEAL_PTR (e->next);
+ /* Validate the pointer we're leaving behind, while we still know
+ where it came from, in case a use-after-free corrupted it. */
+ if (tcache->entries[tc_idx])
+ * (volatile char **) tcache->entries[tc_idx];
--(tcache->counts[tc_idx]);
e->key = NULL;
return (void *) e;
}
More information about the Libc-alpha
mailing list