public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/13576] New: Free chunk in malloc may have incorrect size
@ 2012-01-09 21:12 hjl.tools at gmail dot com
2012-01-10 2:38 ` [Bug libc/13576] " ppluzhnikov at google dot com
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: hjl.tools at gmail dot com @ 2012-01-09 21:12 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
Bug #: 13576
Summary: Free chunk in malloc may have incorrect size
Product: glibc
Version: 2.15
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: hjl.tools@gmail.com
Classification: Unclassified
sYSMALLOc has
/* Setup fencepost and free the old top chunk. */
/* The fencepost takes at least MINSIZE bytes, because it might
become the top chunk again later. Note that a footer is set
up, too, although the chunk is marked in use. */
old_size -= MINSIZE;
set_head(chunk_at_offset(old_top, old_size + 2*SIZE_SZ), 0|PREV_INUSE);
if (old_size >= MINSIZE) {
set_head(chunk_at_offset(old_top, old_size), (2*SIZE_SZ)|PREV_INUSE);
set_foot(chunk_at_offset(old_top, old_size), (2*SIZE_SZ));
set_head(old_top, old_size|PREV_INUSE|NON_MAIN_ARENA);
#ifdef ATOMIC_FASTBINS
_int_free(av, old_top, 1);
#else
_int_free(av, old_top);
#endif
It may free old top chunk with size which isn't a multiple of MALLOC_ALIGNMENT
and leads to a free chunk with incorrect size.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
@ 2012-01-10 2:38 ` ppluzhnikov at google dot com
2012-01-26 15:01 ` drepper.fsp at gmail dot com
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: ppluzhnikov at google dot com @ 2012-01-10 2:38 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot
| |com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
2012-01-10 2:38 ` [Bug libc/13576] " ppluzhnikov at google dot com
@ 2012-01-26 15:01 ` drepper.fsp at gmail dot com
2012-01-26 16:37 ` hjl.tools at gmail dot com
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: drepper.fsp at gmail dot com @ 2012-01-26 15:01 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
--- Comment #1 from Ulrich Drepper <drepper.fsp at gmail dot com> 2012-01-26 15:01:21 UTC ---
I which scenario is this supposed to happen? Test case.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
2012-01-10 2:38 ` [Bug libc/13576] " ppluzhnikov at google dot com
2012-01-26 15:01 ` drepper.fsp at gmail dot com
@ 2012-01-26 16:37 ` hjl.tools at gmail dot com
2012-01-27 23:02 ` drepper.fsp at gmail dot com
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: hjl.tools at gmail dot com @ 2012-01-26 16:37 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> 2012-01-26 16:37:26 UTC ---
(In reply to comment #1)
> I which scenario is this supposed to happen? Test case.
I see it in a private package.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug libc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
` (2 preceding siblings ...)
2012-01-26 16:37 ` hjl.tools at gmail dot com
@ 2012-01-27 23:02 ` drepper.fsp at gmail dot com
2012-02-21 2:38 ` [Bug malloc/13576] " jsm28 at gcc dot gnu.org
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: drepper.fsp at gmail dot com @ 2012-01-27 23:02 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
--- Comment #3 from Ulrich Drepper <drepper.fsp at gmail dot com> 2012-01-27 23:02:09 UTC ---
(In reply to comment #2)
> I see it in a private package.
Then how shall I know it's just some bogus crap in your code. Provide a
reproducer.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug malloc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
` (3 preceding siblings ...)
2012-01-27 23:02 ` drepper.fsp at gmail dot com
@ 2012-02-21 2:38 ` jsm28 at gcc dot gnu.org
2012-05-24 19:20 ` hjl.tools at gmail dot com
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-02-21 2:38 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |malloc
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug malloc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
` (4 preceding siblings ...)
2012-02-21 2:38 ` [Bug malloc/13576] " jsm28 at gcc dot gnu.org
@ 2012-05-24 19:20 ` hjl.tools at gmail dot com
2012-05-24 19:23 ` hjl.tools at gmail dot com
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: hjl.tools at gmail dot com @ 2012-05-24 19:20 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |NEW
Version|2.15 |unspecified
--- Comment #4 from H.J. Lu <hjl.tools at gmail dot com> 2012-05-24 19:20:31 UTC ---
This bug caused some test failures in one of nss packages on Linux/x32.
When sysmalloc frees old top chunk, it should make sure that the size of
the returned chunk is a multiple of MALLOC_ALIGNMENT, just like several
lines below:
/*
Shrink old_top to insert fenceposts, keeping size a
multiple of MALLOC_ALIGNMENT. We know there is at least
enough space in old_top to do this.
*/
old_size = (old_size - 4*SIZE_SZ) & ~MALLOC_ALIGN_MASK;
set_head(old_top, old_size | PREV_INUSE);
If the returned chunk doesn't have a multiple of MALLOC_ALIGNMEN in
size, it will fail this check:
/* We know that each chunk is at least MINSIZE bytes in size of a
multiple of MALLOC_ALIGNMENT. */
if (__builtin_expect (size < MINSIZE
|| (size & MALLOC_ALIGN_MASK) != 0, 0))
{
errstr = "free(): invalid size";
goto errout;
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug malloc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
` (5 preceding siblings ...)
2012-05-24 19:20 ` hjl.tools at gmail dot com
@ 2012-05-24 19:23 ` hjl.tools at gmail dot com
2012-05-25 11:48 ` hjl.tools at gmail dot com
2014-06-27 11:14 ` fweimer at redhat dot com
8 siblings, 0 replies; 10+ messages in thread
From: hjl.tools at gmail dot com @ 2012-05-24 19:23 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
--- Comment #5 from H.J. Lu <hjl.tools at gmail dot com> 2012-05-24 19:23:00 UTC ---
do_check_free_chunk has
/* Unless a special marker, must have OK fields */
if ((unsigned long)(sz) >= MINSIZE)
{
assert((sz & MALLOC_ALIGN_MASK) == 0);
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug malloc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
` (6 preceding siblings ...)
2012-05-24 19:23 ` hjl.tools at gmail dot com
@ 2012-05-25 11:48 ` hjl.tools at gmail dot com
2014-06-27 11:14 ` fweimer at redhat dot com
8 siblings, 0 replies; 10+ messages in thread
From: hjl.tools at gmail dot com @ 2012-05-25 11:48 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13576
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
Target Milestone|--- |2.16
--- Comment #6 from H.J. Lu <hjl.tools at gmail dot com> 2012-05-25 11:47:52 UTC ---
Fixed.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [Bug malloc/13576] Free chunk in malloc may have incorrect size
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
` (7 preceding siblings ...)
2012-05-25 11:48 ` hjl.tools at gmail dot com
@ 2014-06-27 11:14 ` fweimer at redhat dot com
8 siblings, 0 replies; 10+ messages in thread
From: fweimer at redhat dot com @ 2014-06-27 11:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13576
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-06-27 11:14 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-09 21:12 [Bug libc/13576] New: Free chunk in malloc may have incorrect size hjl.tools at gmail dot com
2012-01-10 2:38 ` [Bug libc/13576] " ppluzhnikov at google dot com
2012-01-26 15:01 ` drepper.fsp at gmail dot com
2012-01-26 16:37 ` hjl.tools at gmail dot com
2012-01-27 23:02 ` drepper.fsp at gmail dot com
2012-02-21 2:38 ` [Bug malloc/13576] " jsm28 at gcc dot gnu.org
2012-05-24 19:20 ` hjl.tools at gmail dot com
2012-05-24 19:23 ` hjl.tools at gmail dot com
2012-05-25 11:48 ` hjl.tools at gmail dot com
2014-06-27 11:14 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).