lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-08-08 17:42:12 +03:00
Code Activity

malloc: Detect infinite-loop in _int_free when freeing tcache [BZ#27052]

Browse Source 
If linked-list of tcache contains a loop, it invokes infinite
loop in _int_free when freeing tcache. The PoC which invokes
such infinite loop is on the Bugzilla(#27052). This loop
should terminate when the loop exceeds mp_.tcache_count and
the program should abort. The affected glibc version is
2.29 or later.

Reviewed-by: DJ Delorie <dj@redhat.com>
This commit is contained in:
W. Hashimoto
2020-12-11 16:59:10 -05:00
committed by DJ Delorie
parent 751acde7ec
commit 0e00b35704
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
malloc/malloc.c
View File

@@ -4224,11 +4224,14 @@ _int_free (mstate av, mchunkptr p, int have_lock)
if (__glibc_unlikely (e->key == tcache)) if (__glibc_unlikely (e->key == tcache))
{ {
tcache_entry *tmp; tcache_entry *tmp;
size_t cnt = 0;
LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx); LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
for (tmp = tcache->entries[tc_idx]; for (tmp = tcache->entries[tc_idx];
tmp; tmp;
tmp = REVEAL_PTR (tmp->next)) tmp = REVEAL_PTR (tmp->next), ++cnt)
{ {
if (cnt >= mp_.tcache_count)
malloc_printerr ("free(): too many chunks detected in tcache");
if (__glibc_unlikely (!aligned_OK (tmp))) if (__glibc_unlikely (!aligned_OK (tmp)))
malloc_printerr ("free(): unaligned chunk detected in tcache 2"); malloc_printerr ("free(): unaligned chunk detected in tcache 2");
if (tmp == e) if (tmp == e)