This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/6718] New: duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7


In glibc 2.7 version, malloc malfunction using this program I written.
Glibc 2.7 is from Ubuntu 8.04, kernel version is 2.6.24.3. Kernel is from apt-get install linux-source 

The problem is that malloc returns memory chunks already returned before.

example code generating the problem is as follows.

  1 #include <stdio.h>
  2 #include <stdlib.h>
  3 
  4 int main(void)
  5 {
  6     int* p[10];
  7     int* q[5];
  8     int i;
  9     
 10     for(i=0; i<10; ++i)
 11         p[i] = malloc(8);
 12         
 13     free(p[0]);
 14     free(p[1]);
 15     free(p[2]);
 16     free(p[3]);
 17     free(p[0]);
 18     
 19     for(i=0; i<5; ++i) {
 20         q[i] = malloc(5);
 21         printf("malloc %p\n", q[i]);
 22     }   
 23     
 24 return 0;
 25 }

the result is as follow.

~# gcc test.c
~# ./a.out 
malloc 0x804a008   // first allocation
malloc 0x804a038
malloc 0x804a028
malloc 0x804a018
malloc 0x804a008   // duplicated allocation

The above source code actually have double free error.
(The free source code may not detect those double free for FASTBIN)
But, duplicated allocation seems dangerous.
I think that this problem is caused from uninitialization of "fd" member of "mchunkptr" when malloc 
works using FASTBIN 

The source code causing this problem is in malloc.c in the function _int_free().
I got glibc source using apt-get install glibc-source in Ubuntu 8.04.

4605:         p->fd = *fb;
4606:         *fb = p;

If inserting p->fd = NULL; i think everything will be fine:) 
(but, it still cannot catch double free for FASTBIN)

-- 
           Summary: duplicated allocation using malloc for FASTBIN size
                    chunks in glibc 2.7
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: wowzerjk at gmail dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686 linux gnu
  GCC host triplet: i686 linux gnu
GCC target triplet: i686 linux gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=6718

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]