malloc: tcache_get() may return another valid memory block
wangxu (AE)
wangxu72@huawei.com
Fri May 8 12:02:46 GMT 2020
Hi,
The malloc function in the GNU C Library (aka glibc or libc6) since
2.26, may return a memory block which contain another valid memory block
pointer, potentially leading to memory leak.
This occurs because the function tcache_get() of per-thread cache (aka tcache) feature
does not set e->next = NULL.
with Safe-Linking support, the memory block pointer can be disclosed by REVEAL_PTR(&p).
---
malloc/malloc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index ee87ddb..8dfb20b 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2954,6 +2954,7 @@ tcache_get (size_t tc_idx)
tcache->entries[tc_idx] = REVEAL_PTR (e->next);
--(tcache->counts[tc_idx]);
e->key = NULL;
+ e->next = NULL;
return (void *) e;
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-malloc-tcache_get-may-return-another-valid-memory-bl.patch
Type: application/octet-stream
Size: 1008 bytes
Desc: 0001-malloc-tcache_get-may-return-another-valid-memory-bl.patch
URL: <https://sourceware.org/pipermail/libc-alpha/attachments/20200508/54fd6706/attachment.obj>
More information about the Libc-alpha
mailing list