public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug malloc/26384] New: Race condition in _int_free when MALLOC_DEBUG is enabled
@ 2020-08-13 13:47 stephan at tobies dot info
2020-08-13 14:01 ` [Bug malloc/26384] " stephan at tobies dot info
0 siblings, 1 reply; 2+ messages in thread
From: stephan at tobies dot info @ 2020-08-13 13:47 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26384
Bug ID: 26384
Summary: Race condition in _int_free when MALLOC_DEBUG is
enabled
Product: glibc
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: stephan at tobies dot info
Target Milestone: ---
When MALLOC_DEBUG is enabled, _int_free calls check_inuse_chunk(av, p); without
holding a mutex on the current arena.
(do_)check_inuse_chunk, on the other hand, will access data about the previous
and next chunk, which is not safe when not holding the arena mutex. For
example, the value of prev_inuse may change concurrently, thus making the
access to the prev_chunk(p) unsafe.
As a fix, check_inuse_chunk should only be called when have_lock is true; in
the false case, only check_chunk and inuse(p) can be checked safely.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-08-13 14:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-13 13:47 [Bug malloc/26384] New: Race condition in _int_free when MALLOC_DEBUG is enabled stephan at tobies dot info
2020-08-13 14:01 ` [Bug malloc/26384] " stephan at tobies dot info
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).