Bug 585674

Summary: free() race in mcheck hooks
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Bastian <jbastian>
Component: glibcAssignee: Andreas Schwab <schwab>
Status: CLOSED ERRATA QA Contact: qe-baseos-tools-bugs
Severity: high Docs Contact:
Priority: high    
Version: 5.5CC: ebachalo, fweimer, james.brown, pasteur, pmuller, tao
Target Milestone: rcKeywords: Patch, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc-2.5-54 Doc Type: Bug Fix
Doc Text:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-14 00:04:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 637067    
Attachments:
Description Flags
malloc check patch none

Description Jeff Bastian 2010-04-25 14:40:30 UTC 
Description of problem:
segfaults can occur with MEMCHECK_ALLOC_=3 enabled.  This was reported and fixed upstream at
http://sourceware.org/bugzilla/show_bug.cgi?id=10282
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=cc49a5a8837be1f9307b167d9bf4399798a847c9

Version-Release number of selected component (if applicable):
glibc-2.5-49

How reproducible:
every time

Steps to Reproduce:
1. cat malloc_test.c
#include <stdlib.h>
#include <unistd.h>

int main(void)
{
#pragma omp parallel num_threads(256)
 while (1) {
   void *ptr = malloc(rand() % 65536);
   usleep((rand() % 100) * 100);
   free(ptr);
   usleep((rand() % 100) * 100);
 }
 return 0;
}

2. gcc -fopenmp -g -o malloc_check malloc_check.c

3. MALLOC_CHECK_=3 ./malloc_test
  
Actual results:
malloc: using debugging hooks
*** glibc detected *** ./malloc_test: free(): invalid pointer: 0x00000000043e9c90 ***


Expected results:
no segfaults

Additional info:
Comment 1 Jeff Bastian 2010-04-25 14:42:06 UTC 
(Oops, MEMCHECK_ALLOC_ should have been MALLOC_CHECK_)
Comment 2 Jeff Bastian 2010-04-25 14:43:33 UTC 
Created attachment 408960 [details]
malloc check patch

The upstream patch applied cleanly except for some line number fuzziness.  Attached is a slightly modified patch to correct the line numbers.
Comment 5 Tru Huynh 2010-06-10 09:01:55 UTC 
also filled under http://bugs.centos.org/view.php?id=4370
Comment 6 Andreas Schwab 2010-09-15 13:37:31 UTC 
*** Bug 633841 has been marked as a duplicate of this bug. ***
Comment 13 Martin Prpič 2010-12-02 11:18:50 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
Comment 15 errata-xmlrpc 2011-01-14 00:04:20 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0109.html