[PATCH] malloc: tcache: detect infinite-loop in _int_free when freeing tcache [BZ#27052]

[PATCH] malloc: tcache: detect infinite-loop in _int_free when freeing tcache [BZ#27052]

[W. Hashimoto]

If linked-list of tcache contains a loop, it invokes infinite
loop in _int_free when freeing tcache. The PoC which invokes
such infinite loop is on the Bugzilla(#27052). This loop
should terminate when the loop exceeds mp_.tcache_count and
the program should abort. The affected glibc version is
2.29 or later.
---
 malloc/malloc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 5b87bdb081..aadae327bf 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4224,11 +4224,14 @@ _int_free (mstate av, mchunkptr p, int have_lock)
 	if (__glibc_unlikely (e->key == tcache))
 	  {
 	    tcache_entry *tmp;
+           size_t cnt = 0;
 	    LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
 	    for (tmp = tcache->entries[tc_idx];
 		 tmp;
-		 tmp = REVEAL_PTR (tmp->next))
+		 tmp = REVEAL_PTR (tmp->next), ++cnt)
 	      {
+               if (cnt >= mp_.tcache_count)
+                 malloc_printerr ("free(): too many chunks detected in tcache");
 		if (__glibc_unlikely (!aligned_OK (tmp)))
 		  malloc_printerr ("free(): unaligned chunk detected in tcache 2");
 		if (tmp == e)
-- 
2.25.1

Re: [PATCH] malloc: tcache: detect infinite-loop in _int_free when freeing tcache [BZ#27052]

[DJ Delorie]

"W. Hashimoto via Libc-alpha" <libc-alpha@sourceware.org> writes:
> If linked-list of tcache contains a loop, it invokes infinite
> loop in _int_free when freeing tcache. The PoC which invokes
> such infinite loop is on the Bugzilla(#27052). This loop
> should terminate when the loop exceeds mp_.tcache_count and
> the program should abort. The affected glibc version is
> 2.29 or later.

LGTM.  Thanks!  Committed.

Reviewed-by: DJ Delorie <dj@redhat.com>