From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 078953851C08; Sun,  3 May 2020 10:59:43 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 078953851C08
From: "vvijayan at mathworks dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/25912] New: Possible race in free_check() with
 MALLOC_CHECK_=3
Date: Sun, 03 May 2020 10:59:42 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.28
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: vvijayan at mathworks dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-25912-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2020 10:59:43 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D25912

            Bug ID: 25912
           Summary: Possible race in free_check() with MALLOC_CHECK_=3D3
           Product: glibc
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: vvijayan at mathworks dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

There seems to be a race in free_check() with MALLOC_CHECK_=3D3 is set, I g=
uess=20
after the following change
https://sourceware.org/git/gitweb.cgi?p=3Dglibc.git;h=3Dac3ed168d0c0b2b7023=
19ac0db72c9b475a8c72e,=20
 static void *
@@ -308,13 +273,7 @@ free_check (void *mem, const void *caller)
   __libc_lock_lock (main_arena.mutex);
   p =3D mem2chunk_check (mem, NULL);
   if (!p)
-    {
-      __libc_lock_unlock (main_arena.mutex);
-
-      malloc_printerr (check_action, "free(): invalid pointer", mem,
-                      &main_arena);
-      return;
-    }
+    malloc_printerr ("free(): invalid pointer");
   if (chunk_is_mmapped (p))
     {
       __libc_lock_unlock (main_arena.mutex);

The above code leaves the main_arena.mutex locked.
In case if from signal handler a new malloc request is raised, the thread s=
eems
to be hanging forever.
The following is the just an example to reproduce this.

#include <stdio.h>
#include<unistd.h>
#include<signal.h>
#include <stdlib.h>

void abort_handler(int signo)
{
    char *p2 =3D (char*)malloc(sizeof(char) * 32);
     p2 =3D "*******recieved SIGABRT******\n";

      if (signo =3D=3D SIGABRT)
          printf("%s",p2);
      //free(p2);
      exit(1);
}

int main() {
    char *str =3D (char*) malloc(16);
    (void)signal(SIGABRT, abort_handler);
    str =3D str + 0x10;
    free(str);

    return 0;
}

$gcc test.c -g
$=20
/* Works fine with MALLOC_CHECK_ unset
$./a.out=20
free(): invalid pointer
*******recieved SIGABRT******
$

$ export MALLOC_CHECK_=3D3
/************ Program hangs ***************/
$./a.out=20
free(): invalid pointer

^C
$

Backtrace in gdb
(gdb)=20
8           char *p2 =3D (char*)malloc(sizeof(char) * 32);
(gdb)=20
^C
Program received signal SIGINT, Interrupt.
__lll_lock_wait_private () at
../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:63
63      ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S: No such file or
directory.
(gdb) bt
#0  __lll_lock_wait_private () at
../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:63
#1  0x00007ffff7e60516 in malloc_check (sz=3D140737353714752, caller=3D<opt=
imized
out>) at hooks.c:236
#2  0x0000000000400637 in abort_handler (signo=3D6) at test3.c:8
#3  <signal handler called>
#4  __GI_raise (sig=3Dsig@entry=3D6) at ../sysdeps/unix/sysv/linux/raise.c:=
50
#5  0x00007ffff7dff535 in __GI_abort () at abort.c:79
#6  0x00007ffff7e56508 in __libc_message (action=3Daction@entry=3Ddo_abort,
fmt=3Dfmt@entry=3D0x7ffff7f6128d "%s\n") at ../sysdeps/posix/libc_fatal.c:1=
81
#7  0x00007ffff7e5cc1a in malloc_printerr (str=3Dstr@entry=3D0x7ffff7f5f43b
"free(): invalid pointer") at malloc.c:5341
#8  0x00007ffff7e60b3e in free_check (mem=3D<optimized out>, caller=3D<opti=
mized
out>) at hooks.c:254
#9  0x000000000040069f in main () at test3.c:21
(gdb) p main_arena.mutex
$1 =3D 2
(gdb) p main_arena
$2 =3D {mutex =3D 2, flags =3D 0, have_fastchunks =3D 0, fastbinsY =3D {0x0=
, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, top =3D 0x602020, last_remainder =3D 0x=
0,


Could you please confirm if this is a bug?

Regards,
Vinitha

--=20
You are receiving this mail because:
You are on the CC list for the bug.=