From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id CDDD5385C426; Fri,  8 May 2020 13:03:47 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CDDD5385C426
From: "wangxuszcn at foxmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/25945] memory block return by tcache_get()  may contain
 anather valid memory block pointer, leading to information disclosure
Date: Fri, 08 May 2020 13:03:47 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: malloc
X-Bugzilla-Version: 2.26
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: wangxuszcn at foxmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-25945-131-Le2ZOziNcV@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-25945-131@http.sourceware.org/bugzilla/>
References: <bug-25945-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 13:03:47 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D25945

--- Comment #2 from wangxu <wangxuszcn at foxmail dot com> ---
(In reply to wangxu from comment #0)
> The malloc function in the GNU C Library (aka glibc or libc6) since 2.26,
> may return a memory block which contain another valid memory block pointe=
r,
> potentially leading to memory leak. This occurs because the  function
> tcache_get() of per-thread cache (aka tcache) feature does not set e->nex=
t =3D
> NULL.=20
>=20
> patche canbe:
>=20
> @@ -2936,6 +3074,7 @@ tcache_get (size_t tc_idx)
>    tcache->entries[tc_idx] =3D e->next;
>    --(tcache->counts[tc_idx]);
>    e->key =3D NULL;
> +  e->next =3D NULL;
>    return (void *) e;
>  }
>=20
> BTW,can we request a CVE?

"memory leak" should be "information disclosure", disclosing another valid
memory block pointer.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=