This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/20370] New: malloc: Arena free list management is still racy
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 14 Jul 2016 14:51:00 +0000
- Subject: [Bug malloc/20370] New: malloc: Arena free list management is still racy
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20370
Bug ID: 20370
Summary: malloc: Arena free list management is still racy
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security-
The fix for bug 19243 is incorrect. It is necessary to preserve the invariant
that if an arena is on the free list, it has thread attach count zero.
Otherwise, when arena_thread_freeres sees the zero attach count, it will add
it, and without the invariant, an arena could get pushed to the list twice,
resulting in a cycle.
One possible execution trace looks like this:
Thread 1 examines free list and observes it as empty.
Thread 2 exits and adds its arena to the free list, with attached_threads ==
0).
Thread 1 selects this arena in reused_arena (not from the free list).
Thread 1 increments attached_threads and attaches itself.
(The arena remains on the free list.)
Thread 1 exits, decrements attached_threads, and adds the arena to the free
list.
The final step creates a cycle in the usual way.
This race significantly harder to trigger than the original race in bug 19048,
and it does not result in an assert.
--
You are receiving this mail because:
You are on the CC list for the bug.