diff options
| author | DJ Delorie <dj@delorie.com> | 2018-11-20 13:24:09 -0500 |
|---|---|---|
| committer | DJ Delorie <dj@delorie.com> | 2018-11-20 13:24:09 -0500 |
| commit | bcdaad21d4635931d1bd3b54a7894276925d081d (patch) | |
| tree | 283d6b7b18006862bbac9ac711834b70dabd629f /malloc/malloc.c | |
| parent | 5770c0ad1e0c784e817464ca2cf9436a58c9beb7 (diff) | |
| download | glibc-bcdaad21d4635931d1bd3b54a7894276925d081d.zip glibc-bcdaad21d4635931d1bd3b54a7894276925d081d.tar.gz glibc-bcdaad21d4635931d1bd3b54a7894276925d081d.tar.bz2 | |
malloc: tcache double free check
* malloc/malloc.c (tcache_entry): Add key field.
(tcache_put): Set it.
(tcache_get): Likewise.
(_int_free): Check for double free in tcache.
* malloc/tst-tcfree1.c: New.
* malloc/tst-tcfree2.c: New.
* malloc/Makefile: Run the new tests.
* manual/probes.texi: Document memory_tcache_double_free probe.
* dlfcn/dlerror.c (check_free): Prevent double frees.
Diffstat (limited to 'malloc/malloc.c')
| -rw-r--r-- | malloc/malloc.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 6d7a6a8..f730d7a 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -2967,6 +2967,8 @@ mremap_chunk (mchunkptr p, size_t new_size) typedef struct tcache_entry { struct tcache_entry *next; + /* This field exists to detect double frees. */ + struct tcache_perthread_struct *key; } tcache_entry; /* There is one of these for each thread, which contains the @@ -2990,6 +2992,11 @@ tcache_put (mchunkptr chunk, size_t tc_idx) { tcache_entry *e = (tcache_entry *) chunk2mem (chunk); assert (tc_idx < TCACHE_MAX_BINS); + + /* Mark this chunk as "in the tcache" so the test in _int_free will + detect a double free. */ + e->key = tcache; + e->next = tcache->entries[tc_idx]; tcache->entries[tc_idx] = e; ++(tcache->counts[tc_idx]); @@ -3005,6 +3012,7 @@ tcache_get (size_t tc_idx) assert (tcache->entries[tc_idx] > 0); tcache->entries[tc_idx] = e->next; --(tcache->counts[tc_idx]); + e->key = NULL; return (void *) e; } @@ -4218,6 +4226,26 @@ _int_free (mstate av, mchunkptr p, int have_lock) { size_t tc_idx = csize2tidx (size); + /* Check to see if it's already in the tcache. */ + tcache_entry *e = (tcache_entry *) chunk2mem (p); + + /* This test succeeds on double free. However, we don't 100% + trust it (it also matches random payload data at a 1 in + 2^<size_t> chance), so verify it's not an unlikely coincidence + before aborting. */ + if (__glibc_unlikely (e->key == tcache && tcache)) + { + tcache_entry *tmp; + LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx); + for (tmp = tcache->entries[tc_idx]; + tmp; + tmp = tmp->next) + if (tmp == e) + malloc_printerr ("free(): double free detected in tcache 2"); + /* If we get here, it was a coincidence. We've wasted a few + cycles, but don't abort. */ + } + if (tcache && tc_idx < mp_.tcache_bins && tcache->counts[tc_idx] < mp_.tcache_count) |