lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-08-07 06:43:00 +03:00
Code Activity

Fix race in free sanity check.

Browse Source
This commit is contained in:
Ulrich Drepper
2010-05-06 04:42:46 -07:00
parent d84acf388e
commit 5f24d53acb
3 changed files with 15334 additions and 15326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15324
ChangeLog
View File

File diff suppressed because it is too large Load Diff

15321
ChangeLog.17 Normal file
View File

File diff suppressed because it is too large Load Diff

15
malloc/malloc.c
View File

@@ -4859,6 +4859,7 @@ _int_free(mstate av, mchunkptr p)
#ifdef ATOMIC_FASTBINS #ifdef ATOMIC_FASTBINS
mchunkptr fd; mchunkptr fd;
mchunkptr old = *fb; mchunkptr old = *fb;
unsigned int old_idx = ~0u;
do do
{ {
/* Another simple check: make sure the top of the bin is not the /* Another simple check: make sure the top of the bin is not the
@@ -4868,15 +4869,17 @@ _int_free(mstate av, mchunkptr p)
errstr = "double free or corruption (fasttop)"; errstr = "double free or corruption (fasttop)";
goto errout; goto errout;
} }
if (old != NULL if (old != NULL)
&& __builtin_expect (fastbin_index(chunksize(old)) != idx, 0)) old_idx = fastbin_index(chunksize(old));
{
errstr = "invalid fastbin entry (free)";
goto errout;
}
p->fd = fd = old; p->fd = fd = old;
} }
while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd); while ((old = catomic_compare_and_exchange_val_rel (fb, p, fd)) != fd);
if (fd != NULL && __builtin_expect (old_idx != idx, 0))
{
errstr = "invalid fastbin entry (free)";
goto errout;
}
#else #else
/* Another simple check: make sure the top of the bin is not the /* Another simple check: make sure the top of the bin is not the
record we are going to add (i.e., double free). */ record we are going to add (i.e., double free). */