[Bug libc/10282] free() race in mcheck hooks

[Bug libc/10282] free() race in mcheck hooks

[neleai at seznam dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=10282

Ondrej Bilka <neleai at seznam dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |qboosh@pld-linux.org

--- Comment #8 from Ondrej Bilka <neleai at seznam dot cz> ---
*** Bug 770 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/10282] free() race in mcheck hooks

[jackie.rosen at hushmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=10282

Jackie Rosen <jackie.rosen at hushmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jackie.rosen at hushmail dot com

--- Comment #9 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/10282] free() race in mcheck hooks

[schwab at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=10282

Andreas Schwab <schwab at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|jackie.rosen at hushmail dot com   |

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/10282] free() race in mcheck hooks

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=10282

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/10282] New: free() race in mcheck hooks

[pasky at suse dot cz]

In multi-threaded programs, we are seeing a lot of free() aborts with
MALLOC_CHECK_ turned on (our default settings) with glibc-2.10 on
openSUSE:Factory. A simple testcase is not easy to make, but I suppose
brute-forcing parallel free()s agressively enough would make it show up.

I think this locking change is the cause. In realloc_check(), the mutex is
explicitly taken when calling mem2chunk_check(), and mem2chunk_check appears to
be accessing other parts of the arena which I guess is unsafe without the mutex.

Shouldn't the mutex be held during mem2chunk_check()?

-- 
           Summary: free() race in mcheck hooks
           Product: glibc
           Version: 2.11
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: pasky at suse dot cz
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2009-06-14 23:04 -------
Created an attachment (id=3996)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=3996&action=view)
proposed patch


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2009-06-15 15:42 -------
It turns out that this introduces on the other hand a deadlock if
MALLOC_CHECK_=3, since malloc_printerr() tries to re-acquire the lock; the same
deadlock exists in top_check() currently, BTW.

I will attach a new patch as soon as I test it.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2009-06-15 22:37 -------
Created an attachment (id=4001)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=4001&action=view)
deadlock-free proposed patch

Revised patch; unfortunately, the ATOMIC_FASTBINS stuff makes the code fairly
ugly now... getting rid of the #if 0 bit might help a little.

Without this patch, this crashes in few tens of seconds on my four-core when
run with MALLOC_CHECK_=3:

/* compile with -fopenmp */
#include <stdlib.h>
#include <unistd.h>

int main(void)
{
#pragma omp parallel num_threads(256)
  while (1) {
    void *ptr = malloc(rand() % 65536);
    usleep((rand() % 100) * 100);
    free(ptr);
    usleep((rand() % 100) * 100);
  }
  return 0;
}

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
Attachment #3996 is|0                           |1
           obsolete|                            |


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[mpyne at kde dot org]

------- Additional Comments From mpyne at kde dot org  2009-11-16 23:15 -------
I just wanted to point out that the bug is still present in glibc 2.11. The
second proposed patch works for me in both the testcase and (so far) in my KDE
workspace with MALLOC_CHECK_ enabled.

This bug is a concern for KDE developers because development versions of KDE
automatically set MALLOC_CHECK_ for glibc systems to attempt maximize early
error detection.  It's hard when merely enabling mcheck causes crashes of its
own though. Something in the combination of Qt4+glib and a couple of other KDE
programs (like Okular, KTorrent, and KNotify) trips across this race quite
frequently.

Since there appears to be a fix I'll go ahead and inform the KDE development
community so we can push for the fix to be implemented in distribution packages
while it's debated for glibc.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2009-11-16 23:25 -------
That is quite strange, this appeared to me to have been fixed right before 2.11
release. And I cannot reproduce this bug anymore with 2.11 final. Are you sure
you are seeing the bug with that glibc version? Is that vanilla or in some
distribution? Does my testcase still trigger the bug for you?

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[mpyne at kde dot org]

------- Additional Comments From mpyne at kde dot org  2009-11-17 00:25 -------
(In reply to comment #5)
> That is quite strange, this appeared to me to have been fixed right before
2.11
> release. And I cannot reproduce this bug anymore with 2.11 final. Are you
sure
> you are seeing the bug with that glibc version? Is that vanilla or in some
> distribution? Does my testcase still trigger the bug for you?

This is in glibc 2.11 as distributed by Gentoo that I see it. The vanilla USE
flag is disabled so they apply whatever Gentoo magic it is that makes things
happen. However the mcheck fix patch applied cleanly and I can't believe Gentoo
would create a patch to revert that fix.

According to gitweb the affected file (malloc/hooks.c) was last updated
2009-04-17 in the glibc 2.11 tag
(http://sourceware.org/git/?p=glibc.git;a=history;f=malloc/hooks.c;h=622a815f32

Your testcase still triggered the bug (and quite expeditiously too).

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[pasky at suse dot cz]

------- Additional Comments From pasky at suse dot cz  2009-11-17 00:49 -------
Aha, you are right, I'm sorry; a fix was committed right after 2.11 was tagged,
and in SUSE I took a later commit for our 2.11 build.

Anyway, I have already cherry-picked the fix for the 2.11 stable branch and this
will be included in 2.11.1, to be released before the end of November.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[rdieter at math dot unl dot edu]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rdieter at math dot unl dot
                   |                            |edu


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[esigra at gmail dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |esigra at gmail dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10282] free() race in mcheck hooks

[herrold at owlriver dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |herrold at owlriver dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=10282

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.