about summary refs log tree commit diff
path: root/malloc
diff options
context:
space:
mode:
authorW. Hashimoto <ssmallkirby@gmail.com>2020-12-11 16:59:10 -0500
committerDJ Delorie <dj@redhat.com>2020-12-11 16:59:10 -0500
commit0e00b35704e67c499c3abfbd5b6224a13d38b012 (patch)
treef152ace4c444d59c1590e40d2ce814e442f97346 /malloc
parent751acde7ec335506b54e94ed6f2c998f6c0a22c6 (diff)
downloadglibc-0e00b35704e67c499c3abfbd5b6224a13d38b012.tar.gz
glibc-0e00b35704e67c499c3abfbd5b6224a13d38b012.tar.xz
glibc-0e00b35704e67c499c3abfbd5b6224a13d38b012.zip
malloc: Detect infinite-loop in _int_free when freeing tcache [BZ#27052]
If linked-list of tcache contains a loop, it invokes infinite
loop in _int_free when freeing tcache. The PoC which invokes
such infinite loop is on the Bugzilla(#27052). This loop
should terminate when the loop exceeds mp_.tcache_count and
the program should abort. The affected glibc version is
2.29 or later.

Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'malloc')
-rw-r--r--malloc/malloc.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 5b87bdb081..ec2d934595 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4224,11 +4224,14 @@ _int_free (mstate av, mchunkptr p, int have_lock)
 	if (__glibc_unlikely (e->key == tcache))
 	  {
 	    tcache_entry *tmp;
+	    size_t cnt = 0;
 	    LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
 	    for (tmp = tcache->entries[tc_idx];
 		 tmp;
-		 tmp = REVEAL_PTR (tmp->next))
+		 tmp = REVEAL_PTR (tmp->next), ++cnt)
 	      {
+		if (cnt >= mp_.tcache_count)
+		  malloc_printerr ("free(): too many chunks detected in tcache");
 		if (__glibc_unlikely (!aligned_OK (tmp)))
 		  malloc_printerr ("free(): unaligned chunk detected in tcache 2");
 		if (tmp == e)