[PATCH] malloc tcache: Debugger now sees the address of the corrupted chunk.

DJ Delorie dj@redhat.com
Sat Dec 12 03:17:23 GMT 2020

Hmm... OK, I think I get it.  It's not the 'e' we know, its the 'e' from
the previous call to tcache_get().

So basically, when we remove a chunk from the tcache, we want to
validate the pointer we're leaving behind?

 static __always_inline void *
 tcache_get (size_t tc_idx)
   tcache_entry *e = tcache->entries[tc_idx];
   if (__glibc_unlikely (!aligned_OK (e)))
     malloc_printerr ("malloc(): unaligned tcache chunk detected");
   tcache->entries[tc_idx] = REVEAL_PTR (e->next);
+  /* Validate the pointer we're leaving behind, while we still know
+     where it came from, in case a use-after-free corrupted it.  */
+  if (tcache->entries[tc_idx])
+    * (volatile char **) tcache->entries[tc_idx];
   e->key = NULL;
   return (void *) e;

More information about the Libc-alpha mailing list