public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "bungeman at gmail dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug malloc/23343] tcache_init() confuses mtrace() Date: Wed, 22 Sep 2021 23:55:19 +0000 [thread overview] Message-ID: <bug-23343-131-07Gyf1FpSM@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-23343-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=23343 bungeman at gmail dot com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bungeman at gmail dot com --- Comment #1 from bungeman at gmail dot com --- I recently also ran into this with `mcheck` and the associated hooks. Both the `tcache` and its `entries` are always backed directly as chunks (bare `mchunkptr` or `malloc_chunk` allocations) as they always come directly out of `_int_malloc` or `int_free`. Looking at the rest of the file (and since these are internal allocations) it appears that these should be freed with `_int_free` after finding the correct arena. Currently `tcache_thread_shutdown` calls `__libc_free` on both the `tcache` and its `entries`. When running with `mcheck` the hooks install or expect a `hdr` before the mem ptr (the `malloc_chunk` will come before this `hdr`). Since these allocations did not go through `__libc_malloc` or have already gone through `__libc_free` they do not have a `hdr` present (and the pointer value has already been adjusted to before where the `hdr` was installed in the allocation). As a result, the mcheck `freehook` which is called when `__libc_free` is called fails in `checkhdr` since there isn't actually a `hdr` there. I managed to capture this happening in rr with an tcache entry. A somewhat simplified reverse debugging session demonstrating the issue looks like 347 msg = _ ("memory clobbered before allocated block\n"); #0 0x00007f6f2b98bc95 in mabort (status=<optimized out>) at mcheck.c:347 #1 0x00007f6f2b98bd2b in checkhdr (hdr=hdr@entry=0x55e969231090) at mcheck.c:111 #2 0x00007f6f2b98c129 in checkhdr (hdr=0x55e969231090) at mcheck.c:86 #3 freehook (ptr=0x55e9692310c0, caller=0x7f6f2b98a87b <__malloc_arena_thread_freeres+75>) at mcheck.c:184 #4 0x00007f6f2b98a87b in tcache_thread_shutdown () at malloc.c:2964 #5 __malloc_arena_thread_freeres () at arena.c:951 #6 0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38 #7 0x00007f6f2c0b9ebf in start_thread (arg=<optimized out>) at pthread_create.c:491 #8 0x00007f6f2b9fddef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (rr) reverse-finish // a few times 2964 __libc_free (e); #0 tcache_thread_shutdown () at malloc.c:2964 #1 __malloc_arena_thread_freeres () at arena.c:951 #2 0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38 #3 0x00007f6f2c0b9ebf in start_thread (arg=<optimized out>) at pthread_create.c:491 (rr) when-ticks Current tick: 25415 (rr) print e $1 = (tcache_entry *) 0x55e9692310c0 (rr) print *e $2 = {next = 0x0, key = 0x7f6f240008d0} // The data before e looks like a legal malloc_chunk (rr) print *(mchunkptr)((char*)e - 2*sizeof(size_t)) $11 = {mchunk_prev_size = 96, mchunk_size = 97, ...} // The data before e does not look like a legal mcheck hdr, so checkhdr aborted (rr) print ((struct hdr *) e) - 1 $17 = (struct hdr *) 0x55e969231090 (rr) print *(((struct hdr *) e) - 1) $19 = {size = 4294967298, magic = 10778686036297936231, prev = 0x9595959595959595, next = 0x9595959595959595, block = 0x60, magic2 = 97} (rr) reverse-next // a few times to get before while loop 2954 tcache_shutting_down = true; #0 tcache_thread_shutdown () at malloc.c:2954 #1 __malloc_arena_thread_freeres () at arena.c:951 #2 0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38 #3 0x00007f6f2c0b9ebf in start_thread (arg=<optimized out>) at pthread_create.c:491 #4 0x00007f6f2b9fddef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (rr) print *tcache_tmp $20 = {counts = {0, 0, 0, 0, 1, 0 <repeats 59 times>}, entries = {0x0, 0x0, 0x0, 0x0, 0x55e9692310c0, 0x0 <repeats 59 times>}} (rr) print *tcache_tmp->entries[4] $21 = {next = 0x0, key = 0x7f6f240008d0} (rr) watch -l tcache_tmp->entries[4] (rr) reverse-cont 2927 tcache->entries[tc_idx] = e; #0 tcache_put (tc_idx=4, chunk=0x55e9692310b0) at malloc.c:2927 #1 _int_free (av=0x7f6f2babeb80 <main_arena>, p=0x55e9692310b0, have_lock=0) at malloc.c:4208 #2 0x00007f6f2b98c1b8 in freehook (ptr=0x55e9692310c0, caller=0x55e964dbca21) at mcheck.c:196 #3 0x000055e964dbca21 in std::thread::_State_impl<...>::~_State_impl() (this=0x55e9692310f0, __in_chrg=<optimized out>) at /usr/include/c++/10/thread:205 #4 0x00007f6f2bcf531a in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6 #5 0x00007f6f2c0b9ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477 #6 0x00007f6f2b9fddef in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (rr) when-ticks Current tick: 13449 (rr) print e $25 = (tcache_entry *) 0x55e9692310c0 (rr) print *e $26 = {next = 0x0, key = 0x7f6f240008d0} Where it is easy to verify that `freehook` removed the `hdr` (overwriting it to mark it) by adjusting the pointer back to before the `hdr`, then calls `_int_free` which adds this now non-mcheck chunk to the tcache. As a result this now "hook-clean" freed allocation must not be freed through the hooks (as they have already cleaned up their claim on this allocation and marked it free). tcache_thread_shutdown is already careful to remove the entry from the entries list before attempting to free it, so just calling _int_free (with the correct arena) should be correct. -- You are receiving this mail because: You are on the CC list for the bug.
next parent reply other threads:[~2021-09-22 23:55 UTC|newest] Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <bug-23343-131@http.sourceware.org/bugzilla/> 2021-09-22 23:55 ` bungeman at gmail dot com [this message] 2021-09-23 20:41 ` bungeman at gmail dot com 2021-09-30 2:17 ` bungeman at gmail dot com 2021-10-14 0:38 ` siddhesh at sourceware dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-23343-131-07Gyf1FpSM@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).