Re: [PATCH] [v3] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]

[Mel Gorman <mgorman at suse dot de>]

On Mon, Jun 08, 2015 at 01:36:13PM +0100, Mel Gorman wrote:
> mksquashfs was reported in openSUSE to be causing segmentation faults when
> creating installation images. Testing showed that mksquashfs sometimes
> failed and could be reproduced within 10 attempts. The core dump looked
> like the heap top was corrupted and was pointing to an unmapped area. In
> other cases, this has been due to an application corrupting glibc structures
> but mksquashfs appears to be fine in this regard.
> 
> The problem is that heap_trim is "growing" the top into unmapped space.
> If the top chunk == MINSIZE then top_area is -1 and this check does not
> behave as expected due to a signed/unsigned comparison
> 
>   if (top_area <= pad)
>     return 0;
> 
> The next calculation extra = ALIGN_DOWN(top_area - pad, pagesz) calculates
> extra as a negative number which also is unnoticed due to a signed/unsigned
> comparison. We then call shrink_heap(heap, negative_number) which crashes
> later. This patch adds a simple check against MINSIZE to make sure extra
> does not become negative. It adds a cast to hint to the reader that this
> is a signed vs unsigned issue.
> 
> Without the patch, mksquash fails within 10 attempts. With it applied, it
> completed 1000 times without error. The standard test suite "make check"
> showed no changes in the summary of test results.
> 
> 2015-06-08  Mel Gorman  <mgorman@suse.de>
> 
>   [BZ #18502]
>   * malloc/arena.c: Avoid corruption of the top of heaps for threads

Ping as it's been one week since the last submission.

-- 
Mel Gorman
SUSE Labs