[Bug malloc/22088] New: malloc_check_get_size is not taking care of the special header and eventually segfaults

["mo at mightym0 dot de" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=22088

            Bug ID: 22088
           Summary: malloc_check_get_size is not taking care of the
                    special header and eventually segfaults
           Product: glibc
           Version: 2.26
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: mo at mightym0 dot de
  Target Milestone: ---

malloc_check_get_size is called when using_malloc_checking is enabled.
This means malloc is using a different header defined in mcheck.c, which is not
compatible with the standard header.
However, malloc_check_get_size does the following to retrieve a chunks size:

for (size = chunksize (p) - 1 + (chunk_is_mmapped (p) ? 0 : SIZE_SZ);

chunksize is defined as:
#define chunksize(p) (chunksize_nomask (p) & ~(SIZE_BITS))
#define chunksize_nomask(p)         ((p)->mchunk_size)

This means it will use the value at the size location in the standard header,
which corresponds to the magic2 field in the new header. This value is an xor
with the MAGICWORD 0xfedabeeb, which causes a very likely segfault in the next
line:
(c = ((unsigned char *) p)[size]) != magic;


In fact, malloc_check_get_size totally dismisses the fact that there is a
different header in play. Even the pointer that it gets as an argument points
to the beginning of the standard header, which is right in the middle of the
new
header. Furthermore, all macro functions like chunk2mem, mem2chunk,
chunk_is_mmapped, only handle the standard header case and need to be replaced
or wrapped.

This bug is somehow related to
https://sourceware.org/bugzilla/show_bug.cgi?id=22057

-- 
You are receiving this mail because:
You are on the CC list for the bug.