Bug 585674 - free() race in mcheck hooks
Summary: free() race in mcheck hooks
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc
Version: 5.5
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Andreas Schwab
QA Contact: qe-baseos-tools-bugs
: 633841 (view as bug list)
Depends On:
Blocks: 637067
TreeView+ depends on / blocked
Reported: 2010-04-25 14:40 UTC by Jeff Bastian
Modified: 2018-11-14 19:38 UTC (History)
6 users (show)

Fixed In Version: glibc-2.5-54
Doc Type: Bug Fix
Doc Text:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
Clone Of:
Last Closed: 2011-01-14 00:04:20 UTC
Target Upstream Version:

Attachments (Terms of Use)
malloc check patch (4.12 KB, patch)
2010-04-25 14:43 UTC, Jeff Bastian
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0109 0 normal SHIPPED_LIVE glibc bug fix and enhancement update 2011-01-12 17:29:09 UTC

Description Jeff Bastian 2010-04-25 14:40:30 UTC
Description of problem:
segfaults can occur with MEMCHECK_ALLOC_=3 enabled.  This was reported and fixed upstream at

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. cat malloc_test.c
#include <stdlib.h>
#include <unistd.h>

int main(void)
#pragma omp parallel num_threads(256)
 while (1) {
   void *ptr = malloc(rand() % 65536);
   usleep((rand() % 100) * 100);
   usleep((rand() % 100) * 100);
 return 0;

2. gcc -fopenmp -g -o malloc_check malloc_check.c

3. MALLOC_CHECK_=3 ./malloc_test
Actual results:
malloc: using debugging hooks
*** glibc detected *** ./malloc_test: free(): invalid pointer: 0x00000000043e9c90 ***

Expected results:
no segfaults

Additional info:

Comment 1 Jeff Bastian 2010-04-25 14:42:06 UTC
(Oops, MEMCHECK_ALLOC_ should have been MALLOC_CHECK_)

Comment 2 Jeff Bastian 2010-04-25 14:43:33 UTC
Created attachment 408960 [details]
malloc check patch

The upstream patch applied cleanly except for some line number fuzziness.  Attached is a slightly modified patch to correct the line numbers.

Comment 5 Tru Huynh 2010-06-10 09:01:55 UTC
also filled under http://bugs.centos.org/view.php?id=4370

Comment 6 Andreas Schwab 2010-09-15 13:37:31 UTC
*** Bug 633841 has been marked as a duplicate of this bug. ***

Comment 13 Martin Prpič 2010-12-02 11:18:50 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    New Contents:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.

Comment 15 errata-xmlrpc 2011-01-14 00:04:20 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.