This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/6718] New: duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7
- From: "wowzerjk at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 3 Jul 2008 17:18:24 -0000
- Subject: [Bug libc/6718] New: duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7
- Reply-to: sourceware-bugzilla at sourceware dot org
In glibc 2.7 version, malloc malfunction using this program I written.
Glibc 2.7 is from Ubuntu 8.04, kernel version is 2.6.24.3. Kernel is from apt-get install linux-source
The problem is that malloc returns memory chunks already returned before.
example code generating the problem is as follows.
1 #include <stdio.h>
2 #include <stdlib.h>
3
4 int main(void)
5 {
6 int* p[10];
7 int* q[5];
8 int i;
9
10 for(i=0; i<10; ++i)
11 p[i] = malloc(8);
12
13 free(p[0]);
14 free(p[1]);
15 free(p[2]);
16 free(p[3]);
17 free(p[0]);
18
19 for(i=0; i<5; ++i) {
20 q[i] = malloc(5);
21 printf("malloc %p\n", q[i]);
22 }
23
24 return 0;
25 }
the result is as follow.
~# gcc test.c
~# ./a.out
malloc 0x804a008 // first allocation
malloc 0x804a038
malloc 0x804a028
malloc 0x804a018
malloc 0x804a008 // duplicated allocation
The above source code actually have double free error.
(The free source code may not detect those double free for FASTBIN)
But, duplicated allocation seems dangerous.
I think that this problem is caused from uninitialization of "fd" member of "mchunkptr" when malloc
works using FASTBIN
The source code causing this problem is in malloc.c in the function _int_free().
I got glibc source using apt-get install glibc-source in Ubuntu 8.04.
4605: p->fd = *fb;
4606: *fb = p;
If inserting p->fd = NULL; i think everything will be fine:)
(but, it still cannot catch double free for FASTBIN)
--
Summary: duplicated allocation using malloc for FASTBIN size
chunks in glibc 2.7
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: wowzerjk at gmail dot com
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: i686 linux gnu
GCC host triplet: i686 linux gnu
GCC target triplet: i686 linux gnu
http://sourceware.org/bugzilla/show_bug.cgi?id=6718
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.