|
 |
313519 |
From 0e00b35704e67c499c3abfbd5b6224a13d38b012 Mon Sep 17 00:00:00 2001
|
|
|
313519 |
From: "W. Hashimoto" <ssmallkirby@gmail.com>
|
|
|
313519 |
Date: Fri, 11 Dec 2020 16:59:10 -0500
|
|
|
313519 |
Subject: malloc: Detect infinite-loop in _int_free when freeing tcache
|
|
|
313519 |
[BZ#27052]
|
|
|
313519 |
|
|
|
313519 |
If linked-list of tcache contains a loop, it invokes infinite
|
|
|
313519 |
loop in _int_free when freeing tcache. The PoC which invokes
|
|
|
313519 |
such infinite loop is on the Bugzilla(#27052). This loop
|
|
|
313519 |
should terminate when the loop exceeds mp_.tcache_count and
|
|
|
313519 |
the program should abort. The affected glibc version is
|
|
|
313519 |
2.29 or later.
|
|
|
313519 |
|
|
|
313519 |
Reviewed-by: DJ Delorie <dj@redhat.com>
|
|
|
313519 |
|
|
|
313519 |
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
|
313519 |
index 5b87bdb081..ec2d934595 100644
|
|
|
313519 |
--- a/malloc/malloc.c
|
|
|
313519 |
+++ b/malloc/malloc.c
|
|
|
313519 |
@@ -4224,11 +4224,14 @@ _int_free (mstate av, mchunkptr p, int have_lock)
|
|
|
313519 |
if (__glibc_unlikely (e->key == tcache))
|
|
|
313519 |
{
|
|
|
313519 |
tcache_entry *tmp;
|
|
|
313519 |
+ size_t cnt = 0;
|
|
|
313519 |
LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
|
|
|
313519 |
for (tmp = tcache->entries[tc_idx];
|
|
|
313519 |
tmp;
|
|
|
313519 |
- tmp = REVEAL_PTR (tmp->next))
|
|
|
313519 |
+ tmp = REVEAL_PTR (tmp->next), ++cnt)
|
|
|
313519 |
{
|
|
|
313519 |
+ if (cnt >= mp_.tcache_count)
|
|
|
313519 |
+ malloc_printerr ("free(): too many chunks detected in tcache");
|
|
|
313519 |
if (__glibc_unlikely (!aligned_OK (tmp)))
|
|
|
313519 |
malloc_printerr ("free(): unaligned chunk detected in tcache 2");
|
|
|
313519 |
if (tmp == e)
|