From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 2B5913972829; Fri, 11 Dec 2020 13:09:46 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2B5913972829 From: "ssmallkirby at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug malloc/27052] New: double free detection mechanism of tcache can invoke endless-loop in _int_free Date: Fri, 11 Dec 2020 13:09:45 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: malloc X-Bugzilla-Version: 2.32 X-Bugzilla-Keywords: X-Bugzilla-Severity: minor X-Bugzilla-Who: ssmallkirby at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2020 13:09:46 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D27052 Bug ID: 27052 Summary: double free detection mechanism of tcache can invoke endless-loop in _int_free Product: glibc Version: 2.32 Status: UNCONFIRMED Severity: minor Priority: P2 Component: malloc Assignee: unassigned at sourceware dot org Reporter: ssmallkirby at gmail dot com Target Milestone: --- Since glibc 2.29, tcache has a 'key' member, which detects double free of tcache chunk. If linked-list of tcache contains a loop, it invokes infinite loop in _int_free. I think this loop should terminate and the program should abort = if tcache has more than 7 chunks. Below code invokes such infinite loop in _int_free and the program never terminates. It might be possible for this problem to be abused for DoS atta= ck. // tested on glibc 2.32 #include #include unsigned long protect_ptr(unsigned long pos, unsigned long ptr){ return (pos>>12) ^ (ptr); } int main(void) { char *a,*b,*c; a =3D malloc(0x50); b =3D malloc(0x50); c =3D malloc(0x50); free(a); free(b); *(unsigned long*)(b) =3D (unsigned long*)protect_ptr(b, b); ((unsigned long*)c)[1] =3D ((unsigned long*)a)[1]; free(c); return 0; } --=20 You are receiving this mail because: You are on the CC list for the bug.=