public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc/nsz/mtag] malloc: Fix a realloc crash with heap tagging [BZ 27468]
@ 2021-03-11 17:40 Szabolcs Nagy
0 siblings, 0 replies; 4+ messages in thread
From: Szabolcs Nagy @ 2021-03-11 17:40 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a8e37914688a733e2b49820e6fc6ef9160378b99
commit a8e37914688a733e2b49820e6fc6ef9160378b99
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Feb 25 14:49:58 2021 +0000
malloc: Fix a realloc crash with heap tagging [BZ 27468]
_int_free must be called with a chunk that has its tag reset. This was
missing in a rare case that could crash when heap tagging is enabled:
when in a multi-threaded process the current arena runs out of memory
during realloc, but another arena still has space to finish the realloc
then _int_free was called without clearing the user allocation tags.
Fixes bug 27468.
Reviewed-by: DJ Delorie <dj@redhat.com>
Diff:
---
malloc/malloc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f4bbd8edf..8f8f12c276 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
newp = __libc_malloc (bytes);
if (newp != NULL)
{
- memcpy (newp, oldmem, oldsize - SIZE_SZ);
+ size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
+ memcpy (newp, oldmem, sz);
+ (void) TAG_REGION (chunk2rawmem (oldp), sz);
_int_free (ar_ptr, oldp, 0);
}
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* [glibc/nsz/mtag] malloc: Fix a realloc crash with heap tagging [BZ 27468]
@ 2021-03-19 11:56 Szabolcs Nagy
0 siblings, 0 replies; 4+ messages in thread
From: Szabolcs Nagy @ 2021-03-19 11:56 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=de2ed32e01d157f061bfd3f92314729af8ae2c8b
commit de2ed32e01d157f061bfd3f92314729af8ae2c8b
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Feb 25 14:49:58 2021 +0000
malloc: Fix a realloc crash with heap tagging [BZ 27468]
_int_free must be called with a chunk that has its tag reset. This was
missing in a rare case that could crash when heap tagging is enabled:
when in a multi-threaded process the current arena runs out of memory
during realloc, but another arena still has space to finish the realloc
then _int_free was called without clearing the user allocation tags.
Fixes bug 27468.
Reviewed-by: DJ Delorie <dj@redhat.com>
Diff:
---
malloc/malloc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f4bbd8edf..8f8f12c276 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
newp = __libc_malloc (bytes);
if (newp != NULL)
{
- memcpy (newp, oldmem, oldsize - SIZE_SZ);
+ size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
+ memcpy (newp, oldmem, sz);
+ (void) TAG_REGION (chunk2rawmem (oldp), sz);
_int_free (ar_ptr, oldp, 0);
}
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* [glibc/nsz/mtag] malloc: Fix a realloc crash with heap tagging [BZ 27468]
@ 2021-03-11 17:38 Szabolcs Nagy
0 siblings, 0 replies; 4+ messages in thread
From: Szabolcs Nagy @ 2021-03-11 17:38 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a8e37914688a733e2b49820e6fc6ef9160378b99
commit a8e37914688a733e2b49820e6fc6ef9160378b99
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Feb 25 14:49:58 2021 +0000
malloc: Fix a realloc crash with heap tagging [BZ 27468]
_int_free must be called with a chunk that has its tag reset. This was
missing in a rare case that could crash when heap tagging is enabled:
when in a multi-threaded process the current arena runs out of memory
during realloc, but another arena still has space to finish the realloc
then _int_free was called without clearing the user allocation tags.
Fixes bug 27468.
Reviewed-by: DJ Delorie <dj@redhat.com>
Diff:
---
malloc/malloc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f4bbd8edf..8f8f12c276 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
newp = __libc_malloc (bytes);
if (newp != NULL)
{
- memcpy (newp, oldmem, oldsize - SIZE_SZ);
+ size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
+ memcpy (newp, oldmem, sz);
+ (void) TAG_REGION (chunk2rawmem (oldp), sz);
_int_free (ar_ptr, oldp, 0);
}
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* [glibc/nsz/mtag] malloc: Fix a realloc crash with heap tagging [BZ 27468]
@ 2021-03-04 16:25 Szabolcs Nagy
0 siblings, 0 replies; 4+ messages in thread
From: Szabolcs Nagy @ 2021-03-04 16:25 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ea419cc06f9ce20cab8ff1c3d93748fc38f3410d
commit ea419cc06f9ce20cab8ff1c3d93748fc38f3410d
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Thu Feb 25 14:49:58 2021 +0000
malloc: Fix a realloc crash with heap tagging [BZ 27468]
_int_free must be called with a chunk that has its tag reset. This was
missing in a rare case that could crash when heap tagging is enabled:
when in a multi-threaded process the current arena runs out of memory
during realloc, but another arena still has space to finish the realloc
then _int_free was called without clearing the user allocation tags.
And another _int_free call site in realloc used the wrong size for the
tag clearing: the chunk header of the next chunk was also cleared which
in practice is probably not a problem, but logically that belongs to a
different chunk so it may cause trouble.
Fixes bug 27468.
Diff:
---
malloc/malloc.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f4bbd8edf..10ea6aa441 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
newp = __libc_malloc (bytes);
if (newp != NULL)
{
- memcpy (newp, oldmem, oldsize - SIZE_SZ);
+ size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
+ memcpy (newp, oldmem, sz);
+ (void) TAG_REGION (chunk2rawmem (oldp), sz);
_int_free (ar_ptr, oldp, 0);
}
}
@@ -4850,10 +4852,10 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
else
{
void *oldmem = chunk2mem (oldp);
+ size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
newmem = TAG_NEW_USABLE (newmem);
- memcpy (newmem, oldmem,
- CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ);
- (void) TAG_REGION (chunk2rawmem (oldp), oldsize);
+ memcpy (newmem, oldmem, sz);
+ (void) TAG_REGION (chunk2rawmem (oldp), sz);
_int_free (av, oldp, 1);
check_inuse_chunk (av, newp);
return chunk2mem (newp);
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-19 11:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-11 17:40 [glibc/nsz/mtag] malloc: Fix a realloc crash with heap tagging [BZ 27468] Szabolcs Nagy
-- strict thread matches above, loose matches on Subject: below --
2021-03-19 11:56 Szabolcs Nagy
2021-03-11 17:38 Szabolcs Nagy
2021-03-04 16:25 Szabolcs Nagy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).