From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 56B38385842B; Wed, 22 Sep 2021 23:55:19 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 56B38385842B
From: "bungeman at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/23343] tcache_init() confuses mtrace()
Date: Wed, 22 Sep 2021 23:55:19 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: malloc
X-Bugzilla-Version: 2.29
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: bungeman at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-23343-131-07Gyf1FpSM@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-23343-131@http.sourceware.org/bugzilla/>
References: <bug-23343-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2021 23:55:19 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D23343

bungeman at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bungeman at gmail dot com

--- Comment #1 from bungeman at gmail dot com ---
I recently also ran into this with `mcheck` and the associated hooks. Both =
the
`tcache` and its `entries` are always backed directly as chunks (bare
`mchunkptr` or `malloc_chunk` allocations) as they always come directly out=
 of
`_int_malloc` or `int_free`. Looking at the rest of the file (and since the=
se
are internal allocations) it appears that these should be freed with
`_int_free` after finding the correct arena.

Currently `tcache_thread_shutdown` calls `__libc_free` on both the `tcache`=
 and
its `entries`. When running with `mcheck` the hooks install or expect a `hd=
r`
before the mem ptr (the `malloc_chunk` will come before this `hdr`). Since
these allocations did not go through `__libc_malloc` or have already gone
through `__libc_free` they do not have a `hdr` present (and the pointer val=
ue
has already been adjusted to before where the `hdr` was installed in the
allocation). As a result, the mcheck `freehook` which is called when
`__libc_free` is called fails in `checkhdr` since there isn't actually a `h=
dr`
there.

I managed to capture this happening in rr with an tcache entry. A somewhat
simplified reverse debugging session demonstrating the issue looks like

347           msg =3D _ ("memory clobbered before allocated block\n");
#0  0x00007f6f2b98bc95 in mabort (status=3D<optimized out>) at mcheck.c:347
#1  0x00007f6f2b98bd2b in checkhdr (hdr=3Dhdr@entry=3D0x55e969231090) at
mcheck.c:111
#2  0x00007f6f2b98c129 in checkhdr (hdr=3D0x55e969231090) at mcheck.c:86
#3  freehook (ptr=3D0x55e9692310c0, caller=3D0x7f6f2b98a87b
<__malloc_arena_thread_freeres+75>) at mcheck.c:184
#4  0x00007f6f2b98a87b in tcache_thread_shutdown () at malloc.c:2964
#5  __malloc_arena_thread_freeres () at arena.c:951
#6  0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38
#7  0x00007f6f2c0b9ebf in start_thread (arg=3D<optimized out>) at
pthread_create.c:491
#8  0x00007f6f2b9fddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) reverse-finish  // a few times

2964              __libc_free (e);
#0  tcache_thread_shutdown () at malloc.c:2964
#1  __malloc_arena_thread_freeres () at arena.c:951
#2  0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38
#3  0x00007f6f2c0b9ebf in start_thread (arg=3D<optimized out>) at
pthread_create.c:491

(rr) when-ticks
Current tick: 25415

(rr) print e
$1 =3D (tcache_entry *) 0x55e9692310c0

(rr) print *e
$2 =3D {next =3D 0x0, key =3D 0x7f6f240008d0}

// The data before e looks like a legal malloc_chunk
(rr) print *(mchunkptr)((char*)e - 2*sizeof(size_t))
$11 =3D {mchunk_prev_size =3D 96, mchunk_size =3D 97, ...}

// The data before e does not look like a legal mcheck hdr, so checkhdr abo=
rted
(rr) print ((struct hdr *) e) - 1
$17 =3D (struct hdr *) 0x55e969231090
(rr) print *(((struct hdr *) e) - 1)
$19 =3D {size =3D 4294967298, magic =3D 10778686036297936231, prev =3D
0x9595959595959595, next =3D 0x9595959595959595, block =3D 0x60, magic2 =3D=
 97}

(rr) reverse-next   // a few times to get before while loop

2954      tcache_shutting_down =3D true;
#0  tcache_thread_shutdown () at malloc.c:2954
#1  __malloc_arena_thread_freeres () at arena.c:951
#2  0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38
#3  0x00007f6f2c0b9ebf in start_thread (arg=3D<optimized out>) at
pthread_create.c:491
#4  0x00007f6f2b9fddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) print *tcache_tmp
$20 =3D {counts =3D {0, 0, 0, 0, 1, 0 <repeats 59 times>}, entries =3D {0x0=
, 0x0,
0x0, 0x0, 0x55e9692310c0, 0x0 <repeats 59 times>}}

(rr) print *tcache_tmp->entries[4]
$21 =3D {next =3D 0x0, key =3D 0x7f6f240008d0}

(rr) watch -l tcache_tmp->entries[4]
(rr) reverse-cont

2927      tcache->entries[tc_idx] =3D e;
#0  tcache_put (tc_idx=3D4, chunk=3D0x55e9692310b0) at malloc.c:2927
#1  _int_free (av=3D0x7f6f2babeb80 <main_arena>, p=3D0x55e9692310b0, have_l=
ock=3D0)
at malloc.c:4208
#2  0x00007f6f2b98c1b8 in freehook (ptr=3D0x55e9692310c0, caller=3D0x55e964=
dbca21)
at mcheck.c:196
#3  0x000055e964dbca21 in std::thread::_State_impl<...>::~_State_impl()
(this=3D0x55e9692310f0, __in_chrg=3D<optimized out>) at
/usr/include/c++/10/thread:205
#4  0x00007f6f2bcf531a in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007f6f2c0b9ea7 in start_thread (arg=3D<optimized out>) at
pthread_create.c:477
#6  0x00007f6f2b9fddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) when-ticks
Current tick: 13449

(rr) print e
$25 =3D (tcache_entry *) 0x55e9692310c0
(rr) print *e
$26 =3D {next =3D 0x0, key =3D 0x7f6f240008d0}

Where it is easy to verify that `freehook` removed the `hdr` (overwriting i=
t to
mark it) by adjusting the pointer back to before the `hdr`, then calls
`_int_free` which adds this now non-mcheck chunk to the tcache.  As a result
this now "hook-clean" freed allocation must not be freed through the hooks =
(as
they have already cleaned up their claim on this allocation and marked it
free). tcache_thread_shutdown is already careful to remove the entry from t=
he
entries list before attempting to free it, so just calling _int_free (with =
the
correct arena) should be correct.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=