From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-5774-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 6942 invoked by alias); 20 Dec 2006 17:07:42 -0000
Received: (qmail 6071 invoked by uid 48); 20 Dec 2006 17:07:29 -0000
Date: Wed, 20 Dec 2006 17:07:00 -0000
From: "larsj at inel dot gov" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Message-ID: <20061220170727.3769.larsj@inel.gov>
Reply-To: sourceware-bugzilla@sourceware.org
Subject: [Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c
X-Bugzilla-Reason: CC
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
X-SW-Source: 2006-12/txt/msg00046.txt.bz2

Null pointer dereference (problem and fix)

I'm doing some funky hand optimized code in mmap'd regions. I get a NULL pointer
dereference if I call calloc() but not if I call malloc().  The code block in in
arena_get2() arena.c is:

  do {
    if(!mutex_trylock(&a->mutex)) {
      if (retried)
	(void)mutex_unlock(&list_lock);
      THREAD_STAT(++(a->stat_lock_loop));
      tsd_setspecific(arena_key, (Void_t *)a);
      return a;
    }
    a = a->next;
  } while(a != a_tsd);

After a few times around the loop, a is NULL resulting in a NULL pointer
dereference when trying to access a->mutex.  The comment indicates that this
should be a circular list.  I'm not sure why there's a NULL, but a simple check
fixes the problem.  If i call the same code from a shared library, no problem. 
If I do a bunch of malloc() sleep() free() block, It doesn't crash.  If I set
the MALLOC_CHECK_ flag, it doesn't crash.  Overall an interesting bug to track
down.  I manually checked each heap header to verify I'm not smashing any of the
headers.

  do {
>>>>>>>>>>>>>>>>>>>>>>
    if (!a) break;
<<<<<<<<<<<<<<<<<<<<<<
    if(!mutex_trylock(&a->mutex)) {
      if (retried)
	(void)mutex_unlock(&list_lock);
      THREAD_STAT(++(a->stat_lock_loop));
      tsd_setspecific(arena_key, (Void_t *)a);
      return a;
    }
    a = a->next;
  } while(a != a_tsd);

I've verified it on REL4 (can we even call it linux anymore) and gentoo.

Jason

-- 
           Summary: Null pointer dereference in arena_get2() in arena.c
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: larsj at inel dot gov
                CC: glibc-bugs at sources dot redhat dot com
  GCC host triplet: i386-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=3769

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.