[Bug libc/13576] New: Free chunk in malloc may have incorrect size

[Bug libc/13576] New: Free chunk in malloc may have incorrect size

[hjl.tools at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

             Bug #: 13576
           Summary: Free chunk in malloc may have incorrect size
           Product: glibc
           Version: 2.15
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: hjl.tools@gmail.com
    Classification: Unclassified


sYSMALLOc has

     /* Setup fencepost and free the old top chunk. */
      /* The fencepost takes at least MINSIZE bytes, because it might
         become the top chunk again later.  Note that a footer is set
         up, too, although the chunk is marked in use. */
      old_size -= MINSIZE;
      set_head(chunk_at_offset(old_top, old_size + 2*SIZE_SZ), 0|PREV_INUSE);
      if (old_size >= MINSIZE) {
        set_head(chunk_at_offset(old_top, old_size), (2*SIZE_SZ)|PREV_INUSE);
        set_foot(chunk_at_offset(old_top, old_size), (2*SIZE_SZ));
        set_head(old_top, old_size|PREV_INUSE|NON_MAIN_ARENA);
#ifdef ATOMIC_FASTBINS
        _int_free(av, old_top, 1);
#else
        _int_free(av, old_top);
#endif

It may free old top chunk with size which isn't a multiple of MALLOC_ALIGNMENT
and leads to a free chunk with incorrect size.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13576] Free chunk in malloc may have incorrect size

[ppluzhnikov at google dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13576] Free chunk in malloc may have incorrect size

[drepper.fsp at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

Ulrich Drepper <drepper.fsp at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |WAITING

--- Comment #1 from Ulrich Drepper <drepper.fsp at gmail dot com> 2012-01-26 15:01:21 UTC ---
I which scenario is this supposed to happen?  Test case.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13576] Free chunk in malloc may have incorrect size

[hjl.tools at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> 2012-01-26 16:37:26 UTC ---
(In reply to comment #1)
> I which scenario is this supposed to happen?  Test case.

I see it in a private package.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13576] Free chunk in malloc may have incorrect size

[drepper.fsp at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

--- Comment #3 from Ulrich Drepper <drepper.fsp at gmail dot com> 2012-01-27 23:02:09 UTC ---
(In reply to comment #2)
> I see it in a private package.

Then how shall I know it's just some bogus crap in your code.  Provide a
reproducer.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/13576] Free chunk in malloc may have incorrect size

[jsm28 at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|libc                        |malloc

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/13576] Free chunk in malloc may have incorrect size

[hjl.tools at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
            Version|2.15                        |unspecified

--- Comment #4 from H.J. Lu <hjl.tools at gmail dot com> 2012-05-24 19:20:31 UTC ---
This bug caused some test failures in one of nss packages on Linux/x32.
When sysmalloc frees old top chunk, it should make sure that the size of
the returned chunk is a multiple of MALLOC_ALIGNMENT, just like several
lines below:

        /*   
             Shrink old_top to insert fenceposts, keeping size a
             multiple of MALLOC_ALIGNMENT. We know there is at least
             enough space in old_top to do this.
          */
          old_size = (old_size - 4*SIZE_SZ) & ~MALLOC_ALIGN_MASK;
          set_head(old_top, old_size | PREV_INUSE);

If the returned chunk doesn't have a multiple of MALLOC_ALIGNMEN in
size, it will fail this check:

  /* We know that each chunk is at least MINSIZE bytes in size of a
     multiple of MALLOC_ALIGNMENT.  */
  if (__builtin_expect (size < MINSIZE
                        || (size & MALLOC_ALIGN_MASK) != 0, 0))
    {    
      errstr = "free(): invalid size";
      goto errout;
    }

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/13576] Free chunk in malloc may have incorrect size

[hjl.tools at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

--- Comment #5 from H.J. Lu <hjl.tools at gmail dot com> 2012-05-24 19:23:00 UTC ---
do_check_free_chunk has

 /* Unless a special marker, must have OK fields */
  if ((unsigned long)(sz) >= MINSIZE)
  {
    assert((sz & MALLOC_ALIGN_MASK) == 0);

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/13576] Free chunk in malloc may have incorrect size

[hjl.tools at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13576

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
   Target Milestone|---                         |2.16

--- Comment #6 from H.J. Lu <hjl.tools at gmail dot com> 2012-05-25 11:47:52 UTC ---
Fixed.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug malloc/13576] Free chunk in malloc may have incorrect size

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13576

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.