Re: [PATCH] [v3] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE [BZ #18502]

[Mel Gorman <mgorman at suse dot de>]

On Mon, Jun 15, 2015 at 09:02:24AM +0100, Mel Gorman wrote:
> On Mon, Jun 08, 2015 at 01:36:13PM +0100, Mel Gorman wrote:
> > mksquashfs was reported in openSUSE to be causing segmentation faults when
> > creating installation images. Testing showed that mksquashfs sometimes
> > failed and could be reproduced within 10 attempts. The core dump looked
> > like the heap top was corrupted and was pointing to an unmapped area. In
> > other cases, this has been due to an application corrupting glibc structures
> > but mksquashfs appears to be fine in this regard.
> > 
> > The problem is that heap_trim is "growing" the top into unmapped space.
> > If the top chunk == MINSIZE then top_area is -1 and this check does not
> > behave as expected due to a signed/unsigned comparison
> > 
> >   if (top_area <= pad)
> >     return 0;
> > 
> > The next calculation extra = ALIGN_DOWN(top_area - pad, pagesz) calculates
> > extra as a negative number which also is unnoticed due to a signed/unsigned
> > comparison. We then call shrink_heap(heap, negative_number) which crashes
> > later. This patch adds a simple check against MINSIZE to make sure extra
> > does not become negative. It adds a cast to hint to the reader that this
> > is a signed vs unsigned issue.
> > 
> > Without the patch, mksquash fails within 10 attempts. With it applied, it
> > completed 1000 times without error. The standard test suite "make check"
> > showed no changes in the summary of test results.
> > 
> > 2015-06-08  Mel Gorman  <mgorman@suse.de>
> > 
> >   [BZ #18502]
> >   * malloc/arena.c: Avoid corruption of the top of heaps for threads
> 
> Ping as it's been one week since the last submission.
> 

Another ping as it's been one week since the last ping.

-- 
Mel Gorman
SUSE Labs