From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2077.outbound.protection.outlook.com [40.107.21.77]) by sourceware.org (Postfix) with ESMTPS id AFF14385702E for ; Mon, 29 Mar 2021 08:48:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org AFF14385702E Received: from DB6PR0202CA0011.eurprd02.prod.outlook.com (2603:10a6:4:29::21) by AM6PR08MB3272.eurprd08.prod.outlook.com (2603:10a6:209:4d::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.26; Mon, 29 Mar 2021 08:48:37 +0000 Received: from DB5EUR03FT055.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:29:cafe::6f) by DB6PR0202CA0011.outlook.office365.com (2603:10a6:4:29::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.24 via Frontend Transport; Mon, 29 Mar 2021 08:48:37 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT055.mail.protection.outlook.com (10.152.21.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.29 via Frontend Transport; Mon, 29 Mar 2021 08:48:37 +0000 Received: ("Tessian outbound 7d88ebbbfeee:v89"); Mon, 29 Mar 2021 08:48:37 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: f6124003e8011188 X-CR-MTA-TID: 64aa7808 Received: from 79646bf9cde2.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id F17D7303-4762-408F-9371-8C79C5F128B5.1; Mon, 29 Mar 2021 08:48:29 +0000 Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 79646bf9cde2.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 29 Mar 2021 08:48:29 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=H5IF0UO+Py9YwAPL1eNQVaZ+Ccl5NY5BOWHDV3LbTYxydVcGMtd9G2NIjp0WYpftxygC6w15x/b7bjIYotmxJ3KMCRULfHxD6IfXEQ9TjDCGSHQojOJdZFJ3I0tUYnWJfppks4WpIRWQ5xQ45DYJ79SHMFemYomGJjDaQqAXkXC3SpwPOF/wo9sJPR3faSOMqyRxfqiM/fyov+8RA+V/bmRnxypJRPxv1lueO8qFRoalamcJLgrYsA1mDTDjH2BQGDhnXjAZHcxxuNowF5tTE4eWsggWV7rBp1PugAVTeTvLkmb+f7FAV4ze8VHV4mDcxzg1TrYHatEX2WOU1YWdOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j837tTa7DoDXK/Mj/g5td6NcieP3e0cTcuMpaid45aQ=; b=cZRVWIMj1jwxLAs6i4zxl5ayTZ8kSE8PdE65dHoTbuJGHObWFy0VAZ+Q8L/QjVEJVMzAA8kXDFTGpY+TEeP1Qm1amoQgR5+jAdYkhffREb1JJubQoEABxvABIFQWV5XTtkDF7LSaSgNZJ/85ZvtGosPkqPrT4M8TR+pNPuy5l7Sf+zQsziDCVS1L/nxH3q6OEpdTz2B6hrGgf75ZOI2P6wScVAbaBgS/EbXS5qyA3nC5TxTzO9zibDBzYGBVG7LF78Ieis2ZflBHy+RMgrHQI2DL4gSS7ghPg4TyOG1nYvCzzt3exfEoEQ/UHsmWPb0oVeQQZoLvpld6RPIoxHFuxQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none Authentication-Results-Original: sourceware.org; dkim=none (message not signed) header.d=none;sourceware.org; dmarc=none action=none header.from=arm.com; Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) by PA4PR08MB5965.eurprd08.prod.outlook.com (2603:10a6:102:f3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.24; Mon, 29 Mar 2021 08:48:28 +0000 Received: from PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::60f0:3773:69b8:e336]) by PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::60f0:3773:69b8:e336%2]) with mapi id 15.20.3977.033; Mon, 29 Mar 2021 08:48:28 +0000 From: Szabolcs Nagy To: libc-stable@sourceware.org Subject: [COMMITTED 2.33] malloc: Fix a realloc crash with heap tagging [BZ 27468] Date: Mon, 29 Mar 2021 09:47:55 +0100 Message-Id: <20210329084755.8717-1-szabolcs.nagy@arm.com> X-Mailer: git-send-email 2.17.1 Content-Type: text/plain X-Originating-IP: [217.140.106.52] X-ClientProxiedBy: SA0PR11CA0146.namprd11.prod.outlook.com (2603:10b6:806:131::31) To PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (217.140.106.52) by SA0PR11CA0146.namprd11.prod.outlook.com (2603:10b6:806:131::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.26 via Frontend Transport; Mon, 29 Mar 2021 08:48:23 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: ea4f01e1-ea51-456c-e1fb-08d8f28f719a X-MS-TrafficTypeDiagnostic: PA4PR08MB5965:|AM6PR08MB3272: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:2399;OLM:2399; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: GIEhnojjyP+wDn/FjECAFpxducHTq6yF5rUZT3K8Iz4O3LDvGKtvYRioUXH+Fd6UXI+QJAayRsgF4YaD72M26Njh/DjNt2sRZXm9Szk69dcbnpyXT8NiP73bQQ9WaNtuiCEjqJ6sXEi2HGSUWNDLcyh9SvDbhk+x0p8Rzu4h9CXm4ohw39yyVyJ2ob6Afu9raOgg6tHYplc1pi5uIp/uurA9++alWr9I3pHhVdU6tFEcb3/7iKVYjs68yIiUIsNZWBPj5aksbrqaxKpPl+YD3GCMXNsQShQNUBRnTQq3h0+8VqogNYNbZO3jfI6yFfJCPcnN/5DN7v8xvIupLEXFw6I/Ou1KcXd4LrEJUgKYMwpoDEG5Z7vbPuD6so8xsF4fefIu8yO29MoG0TaoJ44xmjg6WEXXwUO0sKiqbjHyEQpat3nL80oYs8uXFTVz4Nh9aTCbDXUlq1EDvDrP3nB0rvYuDzeks89NI7yGRg7AO6v64yBmqerffBo59z3EMPoy1m3DTOO/903lMq2/sIjasAm42pXEnaan4JxGzjxS2FqZWqUc67sQcZzgc2nk0+haAPY5aAaQh/LMPFjC8LlqSecclF4Z2PwvS2BAgtPbEIUxiUgRAitzT8y3J3FOWfmojlWgT3hhCNoz9RJQsBvUOVxaEr3oU1ayS+gTsnknfzYpTdXb6b3JtAqU1nGii7XI X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39850400004)(366004)(376002)(136003)(396003)(44832011)(6486002)(8936002)(6666004)(6916009)(956004)(2906002)(316002)(478600001)(52116002)(26005)(38100700001)(1076003)(16526019)(66476007)(186003)(6512007)(8676002)(66556008)(6506007)(2616005)(83380400001)(86362001)(36756003)(5660300002)(69590400012)(66946007); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?Eq5HSZlDzlpI2JYCSmo8P1xW7+4BONOKksytnGC2o6jtpmC1VT3lIsrcI6M6?= =?us-ascii?Q?4oI97U5CZjGTNll5CpdbLona4somaHvWdQ9aewOtuiJdNA99TV7qDC+Cp0oX?= =?us-ascii?Q?cq6qM6I8whdaSj0QYzq2hUgWPBVXTE7rJMEVk4KDDIRjyVM2CksD0aePpC3i?= =?us-ascii?Q?OZIRHj2F+Wb5tMDKIF19nzhaBMtcrxW6DEmG6nEXT2R83mcm9gtrljPhYd0f?= =?us-ascii?Q?Y+Gdtgg/vQvqH3CPI/Iwwkp/Pi+zV3s80jzMx3F7O8ywjHT/N6ymp96SkvdW?= =?us-ascii?Q?OjUP2NPxLD8Qm71FRrU1uhZzjyscDDqjyRo8zAe1cN8P+D8TNj1B0yZarzrV?= =?us-ascii?Q?yHqIAzEdxEjOd8kcllVSS/lVcCZ+c5orPDgr2Wvv0XOwv/nzaz6g2rCcjnQn?= =?us-ascii?Q?r5didJpd2VL0XNTCOOTA9NhmT3MJV91EdtVRkpTc+R6J6qSkWwaYOQ4oksuh?= =?us-ascii?Q?LqUsWkG00pbLCVvJJhr+ptkwtKhKyn1PJH84/BxwT2EFIKb0YDVsZQEzQIxM?= =?us-ascii?Q?hzxGbatgOR3vpcpbw484tPWtUtaczhOgCn+YjN4L5QMOdr1qeBlTS8H8tzrG?= =?us-ascii?Q?rm9CkKgLBCIM+wG99IkFctha+I2ujo+sznroEpbDqy8IYWQf2Szvb2XU+FAm?= =?us-ascii?Q?QBkHfzxoGGe6n/fxGYsSdyL0rjKL54Sl5FtBuF6rZYAE4MBK7d98kRMIRR8E?= =?us-ascii?Q?/uljGwOSQcXsqZ3y+Q3rBo8RasXmtOSjVkT+/5XfX5Fc1vC9SR4lxmEiSHa6?= =?us-ascii?Q?22htxchTF8ouLvAjK9ge7zudbbGI6fM+ilG89nxvHqs5Ja2oghCol0GT2fXj?= =?us-ascii?Q?PHnlP6OvOkdPNuXshK3MTZdBCHxIlY7kNnMv5CCRY1g2RXB3L1Rh/JbbdJkX?= =?us-ascii?Q?83tcnjiw1nd3kL7BMPS421I7ePE2b874PCXOtwrayTTxJFVN6Z0H6YNqhgmZ?= =?us-ascii?Q?M23IMY3i3dzBQ54D0qJC6NVoT0k/1XFIK9OXBU7eE7N0GdLx1xUyAcPR8tsv?= =?us-ascii?Q?WsLOdNp/Xw+qEsDaeBf5AdUj2+TBVs0pFxTSmDshxl2+nKYMO49BQcpao/GZ?= =?us-ascii?Q?Q8BZjxlXWRb9A8S5dh3P9QY7zftcSBl5FM2qrmgwx3sR87p4Gkzcp8Qy4bSF?= =?us-ascii?Q?sXFp+fufbK0LhudIU4OtRAI4BmesZeIK3TH8NbRxOgwUS/6RM5l83giSYxLe?= =?us-ascii?Q?x1O2H03nukL+xcbZ7tUUMvqKBO4XWdg3bVbtigUEqpU0sOBvdLw+AJCEIi13?= =?us-ascii?Q?i9a8IY2v6b2o8jr0iZMp9LIy3gfVzn/N8AAUb9UE0dcGAyqzMKruLxYBTljm?= =?us-ascii?Q?G+/5wLrqPP/d9fEQeMTey5Gf?= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR08MB5965 Original-Authentication-Results: sourceware.org; dkim=none (message not signed) header.d=none; sourceware.org; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT055.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 04b2338a-9908-4973-ac8a-08d8f28f699a X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: impdXuNLGYpyFrfUUo+6GNhhXQvI0iESthKFgbU9GmiwtvOv+QGDCaI4cBhByrMDYIBkHLh6VGcchE/0l532eADOo5S6cG9/DCAkebwHsq9ciHqSERF3c4GqDdJZNlsxW6i16op9QZTGWoWLpwhg5wCpRpL4WzyjpHoud0th91qKrsCNtEjKfxiR+XrBeoAtBGYvsKjDgWgydtmVrrFsXM01bZ3u9PyEYyyo2gxQDoQZg2t8ScsXJ9P4fMa9ohNv8w6j/YlRCJEmVzGhPs5l5GN/3U1TDkvo21vIi1sBEkZzmFtLsAnIsX9IcyYBhA/9TXBnjUyuVQ/0GFvhK+h6iwqKgBZjTS8nUF25pT4UKG9pKg5ofSXWh3kmk5DgwE1zBiu2KLuaAhq4BeUkIi4h5WCVw6JVB3yvMku+M4Jq0N5Vz9ONP+QyI6K+J367JhpN8WXfoNIXtqN28tSQb6qGAr4H6hiPykYZzuCdHNvKvZfQWOcyRXsz8+SQb0REODsoZQzZKpbmoRjmAQXXTfIKeEYRRapS58GSRzdemzpJW79aqyU3grEloN3lbz4xqbDa3AXxYrYH14Zo3fiVMTOgQrHCIVA2Xi85vf9Ob6BHWB3Ud1tjEPFAMNbZl848REeuxG7TcrMkG+rFsi2YKNIfZWUwIOZ+tdmP2EyWDG0zSw8AhrtjI1xAlOoy20L+m2a+ X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(396003)(39850400004)(376002)(136003)(46966006)(36840700001)(47076005)(6506007)(70586007)(316002)(83380400001)(336012)(2616005)(8676002)(1076003)(478600001)(5660300002)(36756003)(2906002)(44832011)(956004)(8936002)(6486002)(82740400003)(186003)(82310400003)(69590400012)(6666004)(16526019)(6916009)(26005)(70206006)(36860700001)(86362001)(356005)(6512007)(81166007); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Mar 2021 08:48:37.3086 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ea4f01e1-ea51-456c-e1fb-08d8f28f719a X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT055.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3272 X-Spam-Status: No, score=-14.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2021 08:48:44 -0000 _int_free must be called with a chunk that has its tag reset. This was missing in a rare case that could crash when heap tagging is enabled: when in a multi-threaded process the current arena runs out of memory during realloc, but another arena still has space to finish the realloc then _int_free was called without clearing the user allocation tags. Fixes bug 27468. Reviewed-by: DJ Delorie (cherry picked from commit 42cc96066b22ba065db11096c78881a55e45def4) --- malloc/malloc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 1f4bbd8edf..8f8f12c276 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes) newp = __libc_malloc (bytes); if (newp != NULL) { - memcpy (newp, oldmem, oldsize - SIZE_SZ); + size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ; + memcpy (newp, oldmem, sz); + (void) TAG_REGION (chunk2rawmem (oldp), sz); _int_free (ar_ptr, oldp, 0); } } -- 2.17.1