From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 113970 invoked by alias); 12 Dec 2018 12:41:32 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 111132 invoked by uid 89); 12 Dec 2018 12:41:30 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 12 Dec 2018 12:41:28 +0000 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 330B6307CDD8 for ; Wed, 12 Dec 2018 12:41:27 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-116-48.ams2.redhat.com [10.36.116.48]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E5FFA60C61 for ; Wed, 12 Dec 2018 12:41:26 +0000 (UTC) Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000) id 3DE058317555; Wed, 12 Dec 2018 13:41:25 +0100 (CET) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.27 COMMITTED] malloc: Add another test for tcache double free check. User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20181212124125.3DE058317555@oldenburg2.str.redhat.com> From: Florian Weimer X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Wed, 12 Dec 2018 12:41:27 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-12/txt/msg00009.txt.bz2 From: DJ Delorie This one tests for BZ#23907 where the double free test didn't check the tcache bin bounds before dereferencing the bin. [BZ #23907] * malloc/tst-tcfree3.c: New. * malloc/Makefile: Add it. (cherry picked from commit 7c9a7c68363051cfc5fa1ebb96b3b2c1f82dcb76) 2018-12-07 DJ Delorie [BZ #23907] * malloc/tst-tcfree3.c: New. * malloc/Makefile: Add it. diff --git a/malloc/Makefile b/malloc/Makefile index 946f2c22d5..a23d370ff3 100644 --- a/malloc/Makefile +++ b/malloc/Makefile @@ -37,7 +37,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ tst-malloc-tcache-leak \ tst-malloc_info \ tst-malloc-too-large \ - tst-tcfree1 tst-tcfree2 \ + tst-tcfree1 tst-tcfree2 tst-tcfree3 \ tests-static := \ tst-interpose-static-nothread \ diff --git a/malloc/tst-tcfree3.c b/malloc/tst-tcfree3.c new file mode 100644 index 0000000000..016d30ddd8 --- /dev/null +++ b/malloc/tst-tcfree3.c @@ -0,0 +1,56 @@ +/* Test that malloc tcache catches double free. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include + +/* Prevent GCC from optimizing away any malloc/free pairs. */ +#pragma GCC optimize ("O0") + +static int +do_test (void) +{ + /* Do two allocation of any size that fit in tcache, and one that + doesn't. */ + int ** volatile a = malloc (32); + int ** volatile b = malloc (32); + /* This is just under the mmap threshold. */ + int ** volatile c = malloc (127 * 1024); + + /* The invalid "tcache bucket" we might dereference will likely end + up somewhere within this memory block, so make all the accidental + "next" pointers cause segfaults. BZ #23907. */ + memset (c, 0xff, 127 * 1024); + + free (a); // puts in tcache + + /* A is now free and contains the key we use to detect in-tcache. + Copy the key to the other chunks. */ + memcpy (b, a, 32); + memcpy (c, a, 32); + + /* This free tests the "are we in the tcache already" loop with a + VALID bin but "coincidental" matching key. */ + free (b); // should NOT abort + /* This free tests the "is it a valid tcache bin" test. */ + free (c); // should NOT abort + + return 0; +} + +#include