public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly
@ 2010-10-20 2:40 mtk.manpages at gmail dot com
2010-10-20 2:42 ` [Bug libc/12140] " mtk.manpages at gmail dot com
` (10 more replies)
0 siblings, 11 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2010-10-20 2:40 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
Summary: mallopt(M_PERTURB) free() anomaly
Product: glibc
Version: 2.12
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: mtk.manpages@gmail.com
If mallopt() is used to set M_PERTURB, then, as expected, the bytes of
allocated memory are allocated to the complement of the byte in the 'value'
argument.
When that memory is freed, then the bytes of the region are initialized to the
byte specified in 'value'. However, there is an off-by-sizeof(size_t) error in
the code: instead of initializing precisely the block of memory being freed,
the block starting at p+sizeof(size_t) is initialized.
It looks like the two lines of this form in malloc/malloc.c
free_perturb (chunk2mem(p), size - SIZE_SZ);
should instead be
free_perturb (p, size);
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
@ 2010-10-20 2:42 ` mtk.manpages at gmail dot com
2010-10-25 2:37 ` drepper.fsp at gmail dot com
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2010-10-20 2:42 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
--- Comment #1 from Michael Kerrisk <mtk.manpages at gmail dot com> 2010-10-20 02:42:48 UTC ---
Created attachment 5071
--> http://sourceware.org/bugzilla/attachment.cgi?id=5071
test program
The following sample run of the attached program demonstrates the problem.
$ ./a.out 8 0x0f # Allocate 8 bytes, M_PERTURB=0x0f
f0 f0 f0 f0 f0 f0 f0 f0 00 00 00 00
7b 7b 7b 7b 7b 7b 7b 7b 00 00 00 00
00 00 00 00 0f 0f 0f 0f 0f 0f 0f 0f
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
2010-10-20 2:42 ` [Bug libc/12140] " mtk.manpages at gmail dot com
@ 2010-10-25 2:37 ` drepper.fsp at gmail dot com
2012-03-18 21:07 ` mtk.manpages at gmail dot com
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: drepper.fsp at gmail dot com @ 2010-10-25 2:37 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Ulrich Drepper <drepper.fsp at gmail dot com> 2010-10-25 02:37:35 UTC ---
I checked in a patch.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
2010-10-20 2:42 ` [Bug libc/12140] " mtk.manpages at gmail dot com
2010-10-25 2:37 ` drepper.fsp at gmail dot com
@ 2012-03-18 21:07 ` mtk.manpages at gmail dot com
2012-03-19 15:52 ` [Bug malloc/12140] " jsm28 at gcc dot gnu.org
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2012-03-18 21:07 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
Michael Kerrisk <mtk.manpages at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #3 from Michael Kerrisk <mtk.manpages at gmail dot com> 2012-03-18 20:31:24 UTC ---
The patch of 2010-10-25 changed the problem, but didn't remove it. The test
program now produces the following output:
$ ./a.out 8 0x0f # Allocate 8 bytes, M_PERTURB=0x0f
f0 f0 f0 f0 f0 f0 f0 f0 00 00 00 00
7b 7b 7b 7b 7b 7b 7b 7b 00 00 00 00
00 00 00 00 0f 0f 0f 0f 00 00 00 00
The last line of output should be:
0f 0f 0f 0f 0f 0f 0f 0f 00 00 00 00
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (2 preceding siblings ...)
2012-03-18 21:07 ` mtk.manpages at gmail dot com
@ 2012-03-19 15:52 ` jsm28 at gcc dot gnu.org
2012-10-17 12:35 ` siddhesh at redhat dot com
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-03-19 15:52 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |malloc
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (3 preceding siblings ...)
2012-03-19 15:52 ` [Bug malloc/12140] " jsm28 at gcc dot gnu.org
@ 2012-10-17 12:35 ` siddhesh at redhat dot com
2012-10-17 12:55 ` mtk.manpages at gmail dot com
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at redhat dot com @ 2012-10-17 12:35 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
Siddhesh Poyarekar <siddhesh at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |siddhesh at redhat dot com
--- Comment #4 from Siddhesh Poyarekar <siddhesh at redhat dot com> 2012-10-17 12:34:47 UTC ---
This is tricky because it conflicts with the design of malloc. The
user-visible memory area is used by fd and bk pointers to make the internal
free list. I don't think there is a good way to fix this. The best I can do
is add a note in the documentation about it.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (4 preceding siblings ...)
2012-10-17 12:35 ` siddhesh at redhat dot com
@ 2012-10-17 12:55 ` mtk.manpages at gmail dot com
2012-10-17 13:02 ` siddhesh at redhat dot com
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2012-10-17 12:55 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
--- Comment #5 from Michael Kerrisk <mtk.manpages at gmail dot com> 2012-10-17 12:55:27 UTC ---
(In reply to comment #4)
> This is tricky because it conflicts with the design of malloc. The
> user-visible memory area is used by fd and bk pointers to make the internal
> free list. I don't think there is a good way to fix this. The best I can do
> is add a note in the documentation about it.
This isn't correct. I am not talking about the bytes that re used by the fd/bk
pointers. This concerns what happens to the bytes in the usable malloc()ed
area. Please look more closely at the test program.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (5 preceding siblings ...)
2012-10-17 12:55 ` mtk.manpages at gmail dot com
@ 2012-10-17 13:02 ` siddhesh at redhat dot com
2012-10-17 14:11 ` mtk.manpages at gmail dot com
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at redhat dot com @ 2012-10-17 13:02 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
--- Comment #6 from Siddhesh Poyarekar <siddhesh at redhat dot com> 2012-10-17 13:02:01 UTC ---
Yes, that's the fun part. The fd and bk pointers are written within the usable
area for a free block - it saves 2*sizeof(void *) per chunk. In any case, a
user should not expect to be able to use them anyway for doing a check similar
to what you did after free, because that is undefined - you could cause a
segfault if the chunk was allocated using mmap.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (6 preceding siblings ...)
2012-10-17 13:02 ` siddhesh at redhat dot com
@ 2012-10-17 14:11 ` mtk.manpages at gmail dot com
2012-10-17 14:33 ` siddhesh at redhat dot com
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2012-10-17 14:11 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
--- Comment #7 from Michael Kerrisk <mtk.manpages at gmail dot com> 2012-10-17 14:11:05 UTC ---
(In reply to comment #6)
> Yes, that's the fun part. The fd and bk pointers are written within the usable
> area for a free block - it saves 2*sizeof(void *) per chunk. In any case, a
> user should not expect to be able to use them anyway for doing a check similar
> to what you did after free, because that is undefined - you could cause a
> segfault if the chunk was allocated using mmap.
Ahhh yes, I see what you mean.
However, that begs the question: why do the values in the first 2* sizeof(void
*) not look like pointers. (Okay, the zero could be a NULL pointer, but that
seems unlikely.) I think imagine that the reason is this: this particular block
of memory is in a FASTBIN, and IIRC, pointers are used there, just bitmaps of
free and in use slots. Sound reasonable?
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (7 preceding siblings ...)
2012-10-17 14:11 ` mtk.manpages at gmail dot com
@ 2012-10-17 14:33 ` siddhesh at redhat dot com
2012-10-18 3:00 ` siddhesh at redhat dot com
2014-06-30 7:25 ` fweimer at redhat dot com
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at redhat dot com @ 2012-10-17 14:33 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
--- Comment #8 from Siddhesh Poyarekar <siddhesh at redhat dot com> 2012-10-17 14:33:13 UTC ---
(In reply to comment #7)
> However, that begs the question: why do the values in the first 2* sizeof(void
> *) not look like pointers. (Okay, the zero could be a NULL pointer, but that
> seems unlikely.) I think imagine that the reason is this: this particular block
> of memory is in a FASTBIN, and IIRC, pointers are used there, just bitmaps of
> free and in use slots. Sound reasonable?
They're NULL pointers as you guessed, since the fastbins are empty in this
case. In a more elaborate usage, you'll find actual pointers there, especially
if a block is used long enough after it has been freed.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (8 preceding siblings ...)
2012-10-17 14:33 ` siddhesh at redhat dot com
@ 2012-10-18 3:00 ` siddhesh at redhat dot com
2014-06-30 7:25 ` fweimer at redhat dot com
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at redhat dot com @ 2012-10-18 3:00 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12140
Siddhesh Poyarekar <siddhesh at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #9 from Siddhesh Poyarekar <siddhesh at redhat dot com> 2012-10-18 02:59:57 UTC ---
Resolved with an update in the documentation. It should appear on the website
with the 2.17 release:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b741de23e214763ba4ffcd95829315dd315897ea
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12140] mallopt(M_PERTURB) free() anomaly
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
` (9 preceding siblings ...)
2012-10-18 3:00 ` siddhesh at redhat dot com
@ 2014-06-30 7:25 ` fweimer at redhat dot com
10 siblings, 0 replies; 12+ messages in thread
From: fweimer at redhat dot com @ 2014-06-30 7:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12140
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2014-06-30 7:25 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-20 2:40 [Bug libc/12140] New: mallopt(M_PERTURB) free() anomaly mtk.manpages at gmail dot com
2010-10-20 2:42 ` [Bug libc/12140] " mtk.manpages at gmail dot com
2010-10-25 2:37 ` drepper.fsp at gmail dot com
2012-03-18 21:07 ` mtk.manpages at gmail dot com
2012-03-19 15:52 ` [Bug malloc/12140] " jsm28 at gcc dot gnu.org
2012-10-17 12:35 ` siddhesh at redhat dot com
2012-10-17 12:55 ` mtk.manpages at gmail dot com
2012-10-17 13:02 ` siddhesh at redhat dot com
2012-10-17 14:11 ` mtk.manpages at gmail dot com
2012-10-17 14:33 ` siddhesh at redhat dot com
2012-10-18 3:00 ` siddhesh at redhat dot com
2014-06-30 7:25 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).