This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/22088] New: malloc_check_get_size is not taking care of the special header and eventually segfaults
- From: "mo at mightym0 dot de" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 05 Sep 2017 19:07:34 +0000
- Subject: [Bug malloc/22088] New: malloc_check_get_size is not taking care of the special header and eventually segfaults
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22088
Bug ID: 22088
Summary: malloc_check_get_size is not taking care of the
special header and eventually segfaults
Product: glibc
Version: 2.26
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: mo at mightym0 dot de
Target Milestone: ---
malloc_check_get_size is called when using_malloc_checking is enabled.
This means malloc is using a different header defined in mcheck.c, which is not
compatible with the standard header.
However, malloc_check_get_size does the following to retrieve a chunks size:
for (size = chunksize (p) - 1 + (chunk_is_mmapped (p) ? 0 : SIZE_SZ);
chunksize is defined as:
#define chunksize(p) (chunksize_nomask (p) & ~(SIZE_BITS))
#define chunksize_nomask(p) ((p)->mchunk_size)
This means it will use the value at the size location in the standard header,
which corresponds to the magic2 field in the new header. This value is an xor
with the MAGICWORD 0xfedabeeb, which causes a very likely segfault in the next
line:
(c = ((unsigned char *) p)[size]) != magic;
In fact, malloc_check_get_size totally dismisses the fact that there is a
different header in play. Even the pointer that it gets as an argument points
to the beginning of the standard header, which is right in the middle of the
new
header. Furthermore, all macro functions like chunk2mem, mem2chunk,
chunk_is_mmapped, only handle the standard header case and need to be replaced
or wrapped.
This bug is somehow related to
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
--
You are receiving this mail because:
You are on the CC list for the bug.