From patchwork Sat Dec 1 03:32:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: DJ Delorie X-Patchwork-Id: 1006299 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-97849-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="ZfstIwYg"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 436Gyz3ZMrz9s47 for ; Sat, 1 Dec 2018 14:32:11 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:message-id:from:to:subject; q=dns; s= default; b=aSNXINxVBrix6mGOEy+k8k72VFAYL0pu9qFVocc+Qsws+L/xQ7ktE zZFSU99q9SyhsM+jCAy5kfRjCukbRPkFU/etWwCok/7zw32J7JY2fSNJczq4WaKN MxlQwToOLQeU8OIhaCXxJQ02cSaN8DNZFtFWz/Q4NqnNq3tGHwi+Js= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:message-id:from:to:subject; s=default; bh=HVP8sxUZk7fvDx9pAG4M3T/l95I=; b=ZfstIwYglXM8NNNwOCHcAPmqyMyG QQ3aIAgA2bQN4me34sf0yDydNAP0NedUjHJCN1jlSDCjhyg6XzIGNs85+CoUcajF isYut0rd7DWuZmxheld3ZxOrIeS7Bt/v9d+4tthkb7DnKaLBm/WTHxJkInjY1BW6 Pjwp1oAgcfY/0eE= Received: (qmail 59143 invoked by alias); 1 Dec 2018 03:32:05 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 58786 invoked by uid 89); 1 Dec 2018 03:32:05 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_SHORT, SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=accidental, VALID X-HELO: mx1.redhat.com Date: Fri, 30 Nov 2018 22:32:00 -0500 Message-Id: From: DJ Delorie To: libc-alpha@sourceware.org Subject: malloc: Add another test for tcache double free check. This one tests for RHBZ#1652495 where the double free test didn't check the tcache bin bounds before dereferencing the bin. * malloc/tst-tcfree3.c: New. * malloc/Makefile: Add it. Reviewed-by: Carlos O'Donell diff --git a/malloc/Makefile b/malloc/Makefile index e6dfbfc14c..388cf7e9ee 100644 --- a/malloc/Makefile +++ b/malloc/Makefile @@ -38,7 +38,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ tst-malloc_info \ tst-malloc-too-large \ tst-malloc-stats-cancellation \ - tst-tcfree1 tst-tcfree2 \ + tst-tcfree1 tst-tcfree2 tst-tcfree3 \ tests-static := \ tst-interpose-static-nothread \ diff --git a/malloc/tst-tcfree3.c b/malloc/tst-tcfree3.c new file mode 100644 index 0000000000..1db6d2b220 --- /dev/null +++ b/malloc/tst-tcfree3.c @@ -0,0 +1,56 @@ +/* Test that malloc tcache catches double free. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include + +/* Prevent GCC from optimizing away any malloc/free pairs. */ +#pragma GCC optimize ("O0") + +static int +do_test (void) +{ + /* Do two allocation of any size that fit in tcache, and one that + doesn't. */ + int ** volatile a = malloc (32); + int ** volatile b = malloc (32); + /* This is just under the MMAP threshold. */ + int ** volatile c = malloc (127 * 1024); + + /* The invalid "tcache bucket" we might dereference will likely end + up somewhere within this memory block, so make all the accidental + "next" pointers cause segfaults. RHBZ#1652495. */ + memset (c, 0xff, 127 * 1024); + + free (a); // puts in tcache + + /* A is now free and contains the key we use to detect in-tcache. + Copy the key to the other chunks. */ + memcpy (b, a, 32); + memcpy (c, a, 32); + + /* This free tests the "are we in the tcache already" loop with a + VALID bin but "coincidental" matching key. */ + free (b); // should NOT abort + /* This free tests the "is it a valid tcache bin" test. */ + free (c); // should NOT abort + + return 0; +} + +#include