public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c
@ 2006-12-20 17:07 larsj at inel dot gov
2006-12-20 19:33 ` [Bug libc/3769] " drepper at redhat dot com
0 siblings, 1 reply; 2+ messages in thread
From: larsj at inel dot gov @ 2006-12-20 17:07 UTC (permalink / raw)
To: glibc-bugs
Null pointer dereference (problem and fix)
I'm doing some funky hand optimized code in mmap'd regions. I get a NULL pointer
dereference if I call calloc() but not if I call malloc(). The code block in in
arena_get2() arena.c is:
do {
if(!mutex_trylock(&a->mutex)) {
if (retried)
(void)mutex_unlock(&list_lock);
THREAD_STAT(++(a->stat_lock_loop));
tsd_setspecific(arena_key, (Void_t *)a);
return a;
}
a = a->next;
} while(a != a_tsd);
After a few times around the loop, a is NULL resulting in a NULL pointer
dereference when trying to access a->mutex. The comment indicates that this
should be a circular list. I'm not sure why there's a NULL, but a simple check
fixes the problem. If i call the same code from a shared library, no problem.
If I do a bunch of malloc() sleep() free() block, It doesn't crash. If I set
the MALLOC_CHECK_ flag, it doesn't crash. Overall an interesting bug to track
down. I manually checked each heap header to verify I'm not smashing any of the
headers.
do {
>>>>>>>>>>>>>>>>>>>>>>
if (!a) break;
<<<<<<<<<<<<<<<<<<<<<<
if(!mutex_trylock(&a->mutex)) {
if (retried)
(void)mutex_unlock(&list_lock);
THREAD_STAT(++(a->stat_lock_loop));
tsd_setspecific(arena_key, (Void_t *)a);
return a;
}
a = a->next;
} while(a != a_tsd);
I've verified it on REL4 (can we even call it linux anymore) and gentoo.
Jason
--
Summary: Null pointer dereference in arena_get2() in arena.c
Product: glibc
Version: 2.4
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: larsj at inel dot gov
CC: glibc-bugs at sources dot redhat dot com
GCC host triplet: i386-linux-gnu
http://sourceware.org/bugzilla/show_bug.cgi?id=3769
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libc/3769] Null pointer dereference in arena_get2() in arena.c
2006-12-20 17:07 [Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c larsj at inel dot gov
@ 2006-12-20 19:33 ` drepper at redhat dot com
0 siblings, 0 replies; 2+ messages in thread
From: drepper at redhat dot com @ 2006-12-20 19:33 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2006-12-20 19:32 -------
This indicates you have a buffer overflow. Debug it using techniques like
valgind and mudflap.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
http://sourceware.org/bugzilla/show_bug.cgi?id=3769
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-12-20 19:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-12-20 17:07 [Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c larsj at inel dot gov
2006-12-20 19:33 ` [Bug libc/3769] " drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).