[Bug malloc/26384] New: Race condition in _int_free when MALLOC

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug malloc/26384] New: Race condition in _int_free when MALLOC_DEBUG is enabled
@ 2020-08-13 13:47 stephan at tobies dot info
  2020-08-13 14:01 ` [Bug malloc/26384] " stephan at tobies dot info
  0 siblings, 1 reply; 2+ messages in thread
From: stephan at tobies dot info @ 2020-08-13 13:47 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26384

            Bug ID: 26384
           Summary: Race condition in _int_free when MALLOC_DEBUG is
                    enabled
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: stephan at tobies dot info
  Target Milestone: ---

When MALLOC_DEBUG is enabled, _int_free calls check_inuse_chunk(av, p); without
holding a mutex on the current arena.

(do_)check_inuse_chunk, on the other hand, will access data about the previous
and next chunk, which is not safe when not holding the arena mutex. For
example, the value of prev_inuse may change concurrently, thus making the
access to the prev_chunk(p) unsafe.

As a fix, check_inuse_chunk should only be called when have_lock is true; in
the false case, only check_chunk and inuse(p) can be checked safely.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [Bug malloc/26384] Race condition in _int_free when MALLOC_DEBUG is enabled
  2020-08-13 13:47 [Bug malloc/26384] New: Race condition in _int_free when MALLOC_DEBUG is enabled stephan at tobies dot info
@ 2020-08-13 14:01 ` stephan at tobies dot info
  0 siblings, 0 replies; 2+ messages in thread
From: stephan at tobies dot info @ 2020-08-13 14:01 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26384

Stephan Tobies <stephan at tobies dot info> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stephan at tobies dot info

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-08-13 14:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-13 13:47 [Bug malloc/26384] New: Race condition in _int_free when MALLOC_DEBUG is enabled stephan at tobies dot info
2020-08-13 14:01 ` [Bug malloc/26384] " stephan at tobies dot info

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).