diff options
author | W. Hashimoto <ssmallkirby@gmail.com> | 2020-12-11 16:59:10 -0500 |
---|---|---|
committer | DJ Delorie <dj@redhat.com> | 2020-12-11 16:59:10 -0500 |
commit | 0e00b35704e67c499c3abfbd5b6224a13d38b012 (patch) | |
tree | f152ace4c444d59c1590e40d2ce814e442f97346 /malloc | |
parent | 751acde7ec335506b54e94ed6f2c998f6c0a22c6 (diff) | |
download | glibc-0e00b35704e67c499c3abfbd5b6224a13d38b012.tar.gz glibc-0e00b35704e67c499c3abfbd5b6224a13d38b012.tar.xz glibc-0e00b35704e67c499c3abfbd5b6224a13d38b012.zip |
malloc: Detect infinite-loop in _int_free when freeing tcache [BZ#27052]
If linked-list of tcache contains a loop, it invokes infinite loop in _int_free when freeing tcache. The PoC which invokes such infinite loop is on the Bugzilla(#27052). This loop should terminate when the loop exceeds mp_.tcache_count and the program should abort. The affected glibc version is 2.29 or later. Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'malloc')
-rw-r--r-- | malloc/malloc.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 5b87bdb081..ec2d934595 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4224,11 +4224,14 @@ _int_free (mstate av, mchunkptr p, int have_lock) if (__glibc_unlikely (e->key == tcache)) { tcache_entry *tmp; + size_t cnt = 0; LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx); for (tmp = tcache->entries[tc_idx]; tmp; - tmp = REVEAL_PTR (tmp->next)) + tmp = REVEAL_PTR (tmp->next), ++cnt) { + if (cnt >= mp_.tcache_count) + malloc_printerr ("free(): too many chunks detected in tcache"); if (__glibc_unlikely (!aligned_OK (tmp))) malloc_printerr ("free(): unaligned chunk detected in tcache 2"); if (tmp == e) |