This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] [v3] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]
- From: Mel Gorman <mgorman at suse dot de>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>, Carlos O'Donell <carlos at redhat dot com>
- Cc: Andreas Schwab <schwab at linux-m68k dot org>, libc-alpha at sourceware dot org
- Date: Mon, 15 Jun 2015 09:02:24 +0100
- Subject: Re: [PATCH] [v3] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]
- Authentication-results: sourceware.org; auth=none
- References: <20150608123613 dot GO26425 at suse dot de>
On Mon, Jun 08, 2015 at 01:36:13PM +0100, Mel Gorman wrote:
> mksquashfs was reported in openSUSE to be causing segmentation faults when
> creating installation images. Testing showed that mksquashfs sometimes
> failed and could be reproduced within 10 attempts. The core dump looked
> like the heap top was corrupted and was pointing to an unmapped area. In
> other cases, this has been due to an application corrupting glibc structures
> but mksquashfs appears to be fine in this regard.
>
> The problem is that heap_trim is "growing" the top into unmapped space.
> If the top chunk == MINSIZE then top_area is -1 and this check does not
> behave as expected due to a signed/unsigned comparison
>
> if (top_area <= pad)
> return 0;
>
> The next calculation extra = ALIGN_DOWN(top_area - pad, pagesz) calculates
> extra as a negative number which also is unnoticed due to a signed/unsigned
> comparison. We then call shrink_heap(heap, negative_number) which crashes
> later. This patch adds a simple check against MINSIZE to make sure extra
> does not become negative. It adds a cast to hint to the reader that this
> is a signed vs unsigned issue.
>
> Without the patch, mksquash fails within 10 attempts. With it applied, it
> completed 1000 times without error. The standard test suite "make check"
> showed no changes in the summary of test results.
>
> 2015-06-08 Mel Gorman <mgorman@suse.de>
>
> [BZ #18502]
> * malloc/arena.c: Avoid corruption of the top of heaps for threads
Ping as it's been one week since the last submission.
--
Mel Gorman
SUSE Labs