[Bug libc/10018] New: malloc thread-safety issues

[Bug libc/10018] New: malloc thread-safety issues

[clement dot stenac at exalead dot com]

The attached program (corruption.c) exposes a memory corruption issue with
malloc running on multithread.

The corruption has been reproduced on several computers running various Linux
distributions, and with glibc ranging from 2.5 to 2.9. It has not been
reproduced on glibc 2.3

The corruption has been reproduced on 2,4 and 8 cores machines. It has not been
reproduced on monocore machines. It has only been reproduced on x86_64, not on x86

The attached program basically does:
 * malloc a buffer of size X
 * fill it with a memory pattern
 * realloc it to size 2X
 * check that the pattern is still ok on [0:X[

On the attached program, depending on X, the last Y bytes are corrupted, with Y
ranging from 0 to 8. Several runs of a few seconds might be required to expose
the bug.

Here is the complete matrix of reproduction cases.
Distro          Cpu 	Cores 	Libc 	GCC 	Kernel 	Vulnerable
Debian Etch 	x86-64 	8 	2.3 	4.1.2 	2.6.27 	No
Debian Lenny 	?? 	2 	2.7 	4.3.2 	? 	No
RH5 	        x86-64 	4 	2.5 	4.1.2 	2.6.18  Yes
Gentoo 	        x86-64 	4 	2.8 	4.1.2 	2.6.27 	Yes
CentOS 5.2 	x86-64 	4 	2.5 	4.1.2 	2.6.18 	Yes
Debian Sid 	x86 	1 	2.9 	4.3.3 	2.6.26 	No
RH4 	        x86-64  2       2.3     3.4     2.6.9 	No
Gentoo          x86-64 	4 	2.6.1 	4.1.2 	2.6.25 	Yes
Gentoo          x86-64  2       2.5 	4.1.1 	2.6.20 	Yes
Gentoo          x86-64  8       2.6.1   4.1.1 	2.6.28 	Yes
Debian Sid 	x86 	2 	2.9 	4.3.3 	2.6.26 	No
Debian Testing 	x86-64 	2 	2.7 	4.1.2 	2.6.26 	Yes 


This might be related to BUG 6952
(if it's related, then it probably produces an easier reproduction case)

-- 
           Summary: malloc thread-safety issues
           Product: glibc
           Version: 2.8
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: clement dot stenac at exalead dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=10018

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10018] malloc thread-safety issues

[clement dot stenac at exalead dot com]

------- Additional Comments From clement dot stenac at exalead dot com  2009-03-31 07:30 -------
Created an attachment (id=3858)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=3858&action=view)
Minimal test case exposing the problem


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10018

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10018] malloc thread-safety issues

[Florian dot Douetteau at exalead dot com]

------- Additional Comments From Florian dot Douetteau at exalead dot com  2009-04-04 14:39 -------

The corruption has also been reproduced on this system : 

Distro          Cpu 	Cores 	Libc 	GCC 	Kernel 	Vulnerable
Gentoo          x86-64  8       2.8   4.3.2 	2.6.27 	Yes

When compiling glibc 2.9 out of the box on this system, 
from
ftp://sources.redhat.com/pub/glibc/releases/glibc-libidn-2.9.tar.gz
and LD_PRELOADing it the corruption disappears.

When reverse applying this patch, on 2.9 sources 
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/malloc/malloc.c.diff?r1=1.189&r2=1.190&cvsroot=glibc


(comment: (public_rEALLOc): When new arena is used, copy really all bytes) 

and recompiling, the corruption reappers.



-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10018

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10018] malloc thread-safety issues

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2009-11-01 16:48 -------
(In reply to comment #2)
> When reverse applying this patch, on 2.9 sources 
> and recompiling, the corruption reappers.

Which means the bug is fixed.  Why didn't you close it then?


-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=10018

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10018] malloc thread-safety issues

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=10018

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.