[Bug 1020210]

Neleai Tue, 24 Dec 2013 23:11:11 -0800

Carlos, this is faster to debug on paper than trying debug optimized
program.


For minimal example what is wrong I could trigger assert for unoptimized
version of malloc. In optimized version you need go to assembly to see
where gcc scheduled loads.

Idea is simple, while we free one chunk then a chunk on top of fastbin
could be in other thread allocated, resized and then returned back into
top of fastbin to trigger assertion or seqfault when trim unmaps
corresponding page.

A program is following,

#include <stdlib.h>
#include <pthread.h>

void * freea (void *p)
{  
  free (p); // 1
}

int main ()
{
  pthread_t x;
  char *u, *v;
  u = malloc (16);
  pthread_create (&x, NULL, freea, u);
      
  v = malloc (16); 
  free (v); // 2

  malloc_trim (0);
  v = malloc (512); // 3
  free (v);

  malloc_trim (0);
  v = malloc (16);  
  free (v); // 4
}

First step into free 1 until you get to this fragment.
   
Here run free 2 so v gets into top of fastbin.

    unsigned int idx = fastbin_index(size); // 32 >> 4 = 2
    fb = &fastbin (av, idx);

    mchunkptr fd;
    mchunkptr old = *fb; // v
    unsigned int old_idx = ~0u;
    do
      {
        /* Another simple check: make sure the top of the bin is not the
           record we are going to add (i.e., double free).  */
        if (__builtin_expect (old == p, 0))
          {
            errstr = "double free or corruption (fasttop)";
            goto errout;
          }

Now here run step 3 where v is chunk of size 528


        if (old != NULL)
          old_idx = fastbin_index(chunksize(old)); // 528 >> 4 = 33
        p->fd = fd = old;

And continue by step 4 which returns v into top of fastbin. which is
same state as at 2.

      }
    while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd);

And as 33 != 2 we cause an error.
    
    if (fd != NULL && __builtin_expect (old_idx != idx, 0))
      {
        errstr = "invalid fastbin entry (free)";
        goto errout;
      }

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1020210

Title:
  Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap
  corruption

To manage notifications about this bug go to:
https://bugs.launchpad.net/eglibc/+bug/1020210/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1020210]

Reply via email to