diff options
author | Ulrich Drepper <drepper@redhat.com> | 2009-07-16 09:54:34 -0700 |
---|---|---|
committer | Petr Baudis <pasky@suse.cz> | 2009-07-16 20:36:06 +0200 |
commit | 475cfe06fa5de340302b2245e0a0a162d7350c32 (patch) | |
tree | c6a4732f7335476838ef5b765522dfcb790efc00 | |
parent | e875bad50a2247e6297c1b2306d87b3eb623a0be (diff) | |
download | glibc-475cfe06fa5de340302b2245e0a0a162d7350c32.tar.gz glibc-475cfe06fa5de340302b2245e0a0a162d7350c32.tar.xz glibc-475cfe06fa5de340302b2245e0a0a162d7350c32.zip |
Fix race in corruption check.
With atomic fastbins the checks performed can race with concurrent modifications of the arena. If we detect a problem re-do the test after getting the lock. (cherry picked from commit bec466d922ee22b94ac0d00415fb605e136efe6e)
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | malloc/malloc.c | 25 |
2 files changed, 29 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog index 8a0e7ab6d1..34a5ad631c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2009-07-16 Ulrich Drepper <drepper@redhat.com> + Jakub Jelinek <jakub@redhat.com> + + * malloc/malloc.c [ATOMIC_FASTBINS] (_int_free): Make check for + corruption thread-safe. + 2009-07-13 Jakub Jelinek <jakub@redhat.com> * include/atomic.h (catomic_compare_and_exchange_val_rel): If arch diff --git a/malloc/malloc.c b/malloc/malloc.c index bd44dee7f4..4b623e2200 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4779,8 +4779,29 @@ _int_free(mstate av, mchunkptr p) || __builtin_expect (chunksize (chunk_at_offset (p, size)) >= av->system_mem, 0)) { - errstr = "free(): invalid next size (fast)"; - goto errout; +#ifdef ATOMIC_FASTBINS + /* We might not have a lock at this point and concurrent modifications + of system_mem might have let to a false positive. Redo the test + after getting the lock. */ + if (have_lock + || ({ assert (locked == 0); + mutex_lock(&av->mutex); + locked = 1; + chunk_at_offset (p, size)->size <= 2 * SIZE_SZ + || chunksize (chunk_at_offset (p, size)) >= av->system_mem; + })) +#endif + { + errstr = "free(): invalid next size (fast)"; + goto errout; + } +#ifdef ATOMIC_FASTBINS + if (! have_lock) + { + (void)mutex_unlock(&av->mutex); + locked = 0; + } +#endif } if (__builtin_expect (perturb_byte, 0)) |