aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUlrich Drepper <drepper@redhat.com>2009-07-16 09:54:34 -0700
committerUlrich Drepper <drepper@redhat.com>2009-07-16 09:54:34 -0700
commitbec466d922ee22b94ac0d00415fb605e136efe6e (patch)
tree52e72934969d628a3d301e84f1dc66aa9f2ec932
parentbea0ac1d8703091294fe5822d982591c849b5458 (diff)
downloadglibc-bec466d922ee22b94ac0d00415fb605e136efe6e.zip
glibc-bec466d922ee22b94ac0d00415fb605e136efe6e.tar.gz
glibc-bec466d922ee22b94ac0d00415fb605e136efe6e.tar.bz2
Fix race in corruption check.
With atomic fastbins the checks performed can race with concurrent modifications of the arena. If we detect a problem re-do the test after getting the lock.
-rw-r--r--ChangeLog6
-rw-r--r--malloc/malloc.c25
2 files changed, 29 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 1e9df42..6ddf9a1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2009-07-16 Ulrich Drepper <drepper@redhat.com>
+ Jakub Jelinek <jakub@redhat.com>
+
+ * malloc/malloc.c [ATOMIC_FASTBINS] (_int_free): Make check for
+ corruption thread-safe.
+
2009-07-13 Jakub Jelinek <jakub@redhat.com>
* include/atomic.h (catomic_compare_and_exchange_val_rel): If arch
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 0c0182e..a459a2b 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4799,8 +4799,29 @@ _int_free(mstate av, mchunkptr p)
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
>= av->system_mem, 0))
{
- errstr = "free(): invalid next size (fast)";
- goto errout;
+#ifdef ATOMIC_FASTBINS
+ /* We might not have a lock at this point and concurrent modifications
+ of system_mem might have let to a false positive. Redo the test
+ after getting the lock. */
+ if (have_lock
+ || ({ assert (locked == 0);
+ mutex_lock(&av->mutex);
+ locked = 1;
+ chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
+ || chunksize (chunk_at_offset (p, size)) >= av->system_mem;
+ }))
+#endif
+ {
+ errstr = "free(): invalid next size (fast)";
+ goto errout;
+ }
+#ifdef ATOMIC_FASTBINS
+ if (! have_lock)
+ {
+ (void)mutex_unlock(&av->mutex);
+ locked = 0;
+ }
+#endif
}
if (__builtin_expect (perturb_byte, 0))