From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dj@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by sourceware.org (Postfix) with ESMTP id 8B3793951C83
 for <libc-alpha@sourceware.org>; Tue, 13 Apr 2021 22:14:14 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 8B3793951C83
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-521-L7ja44BRPp-pIyG-gMj8mw-1; Tue, 13 Apr 2021 18:14:12 -0400
X-MC-Unique: L7ja44BRPp-pIyG-gMj8mw-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 93EB6107ACC7;
 Tue, 13 Apr 2021 22:14:11 +0000 (UTC)
Received: from rhel8.vm.delorie.com (ovpn-112-40.rdu2.redhat.com
 [10.10.112.40])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 65B2A1A49B;
 Tue, 13 Apr 2021 22:14:11 +0000 (UTC)
Received: from rhel8.vm.redhat.com (localhost [127.0.0.1])
 by rhel8.vm.delorie.com (8.15.2/8.15.2) with ESMTP id 13DMEAKT391440;
 Tue, 13 Apr 2021 18:14:10 -0400
From: DJ Delorie <dj@redhat.com>
To: liqingqing <liqingqing3@huawei.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH] malloc: Print error when oldsize is not equal to the
 current size.
In-Reply-To: <4574b99b-edac-d8dc-9141-79c3109d2fcc@huawei.com> (message from
 liqingqing on Thu, 1 Apr 2021 16:51:45 +0800)
Date: Tue, 13 Apr 2021 18:14:10 -0400
Message-ID: <xnzgy1de8d.fsf@rhel8.vm>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-6.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 22:14:15 -0000

liqingqing <liqingqing3@huawei.com> writes:
> the read of the oldsize is not protected by any lock, so check this value=
 to avoid causing bigger mistakes.=C2=A0

Normally nothing can change oldsize until the oldp chunk is returned to
the arena, and at the point where you added the check that hasn't
happened.  Could you be more specific about how this value might change
out from under us?

Is this a case of "some other thread might corrupt this"?  But that can
happen regardless of lock.

Are you assuming some other malloc/free call could corrupt oldsize while
they hold the lock?  If so, is there a published exploit description for
this?