This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug malloc/20155] New: malloc: Inconsistent chunk size checks

From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Fri, 27 May 2016 13:15:16 +0000
Subject: [Bug malloc/20155] New: malloc: Inconsistent chunk size checks
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=20155

            Bug ID: 20155
           Summary: malloc: Inconsistent chunk size checks
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security-

sysmalloc sets a bunch with size 2 * SIZE_SZ:

          /* The fencepost takes at least MINSIZE bytes, because it might
             become the top chunk again later.  Note that a footer is set
             up, too, although the chunk is marked in use. */
          old_size = (old_size - MINSIZE) & ~MALLOC_ALIGN_MASK;
          set_head (chunk_at_offset (old_top, old_size + 2 * SIZE_SZ), 0 |
PREV_INUSE);
          if (old_size >= MINSIZE)
            {
              set_head (chunk_at_offset (old_top, old_size), (2 * SIZE_SZ) |
PREV_INUSE);
              set_foot (chunk_at_offset (old_top, old_size), (2 * SIZE_SZ));
              set_head (old_top, old_size | PREV_INUSE | NON_MAIN_ARENA);
              _int_free (av, old_top, 1);

(Setting the NON_MAIN_ARENA flag here is rather dubious.)

_int_free checks against 2 * SIZE_SZ:

    if (__builtin_expect (nextchunk->size <= 2 * SIZE_SZ, 0)
        || __builtin_expect (nextsize >= av->system_mem, 0))
      {
        errstr = "free(): invalid next size (normal)";
        goto errout;
      }

This only works because nextchunk->size is actually 2 * SIZE_SZ + 1: the
PREV_INUSE flag is set.

We have a couple of other such comparisons which could also give unexpected
results.  Whether this intended or not is unclear.

It's questionable to patch into the heap chunks smaller than MINSIZE (in the
way sysmalloc does) because it violates heap invariants.

I don't know what to do about this.  Such subtle tricks certainly make changes
to the code more difficult.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]