[Bug libc/6718] New: duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7

[Bug libc/6718] New: duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7

[wowzerjk at gmail dot com]

In glibc 2.7 version, malloc malfunction using this program I written.
Glibc 2.7 is from Ubuntu 8.04, kernel version is 2.6.24.3. Kernel is from apt-get install linux-source 

The problem is that malloc returns memory chunks already returned before.

example code generating the problem is as follows.

  1 #include <stdio.h>
  2 #include <stdlib.h>
  3 
  4 int main(void)
  5 {
  6     int* p[10];
  7     int* q[5];
  8     int i;
  9     
 10     for(i=0; i<10; ++i)
 11         p[i] = malloc(8);
 12         
 13     free(p[0]);
 14     free(p[1]);
 15     free(p[2]);
 16     free(p[3]);
 17     free(p[0]);
 18     
 19     for(i=0; i<5; ++i) {
 20         q[i] = malloc(5);
 21         printf("malloc %p\n", q[i]);
 22     }   
 23     
 24 return 0;
 25 }

the result is as follow.

~# gcc test.c
~# ./a.out 
malloc 0x804a008   // first allocation
malloc 0x804a038
malloc 0x804a028
malloc 0x804a018
malloc 0x804a008   // duplicated allocation

The above source code actually have double free error.
(The free source code may not detect those double free for FASTBIN)
But, duplicated allocation seems dangerous.
I think that this problem is caused from uninitialization of "fd" member of "mchunkptr" when malloc 
works using FASTBIN 

The source code causing this problem is in malloc.c in the function _int_free().
I got glibc source using apt-get install glibc-source in Ubuntu 8.04.

4605:         p->fd = *fb;
4606:         *fb = p;

If inserting p->fd = NULL; i think everything will be fine:) 
(but, it still cannot catch double free for FASTBIN)

-- 
           Summary: duplicated allocation using malloc for FASTBIN size
                    chunks in glibc 2.7
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: wowzerjk at gmail dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686 linux gnu
  GCC host triplet: i686 linux gnu
GCC target triplet: i686 linux gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=6718

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6718] duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7

[wowzerjk at gmail dot com]

------- Additional Comments From wowzerjk at gmail dot com  2008-07-03 17:29 -------
I mistakes writing source of the problem.
The problem is caused from _int_malloc() function in malloc.c
(glibc 2.7 from apt-get install glibc-source in Ubuntu 8.04)

4111             *fb = victim->fd;

victim->fd must be reset like 'victim->fd = NULL' after above line.




-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=6718

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/6718] duplicated allocation using malloc for FASTBIN size chunks in glibc 2.7

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2008-07-03 17:32 -------
If your program is buggy, don't expect glibc to magically fix the mistakes.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID


http://sourceware.org/bugzilla/show_bug.cgi?id=6718

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.