Bug 585674 - free() race in mcheck hooks
free() race in mcheck hooks
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc (Show other bugs)
5.5
All Linux
high Severity high
: rc
: ---
Assigned To: Andreas Schwab
qe-baseos-tools
: Patch, ZStream
: 633841 (view as bug list)
Depends On:
Blocks: 637067
  Show dependency treegraph
 
Reported: 2010-04-25 10:40 EDT by Jeff Bastian
Modified: 2016-11-24 11:02 EST (History)
6 users (show)

See Also:
Fixed In Version: glibc-2.5-54
Doc Type: Bug Fix
Doc Text:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 19:04:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
malloc check patch (4.12 KB, patch)
2010-04-25 10:43 EDT, Jeff Bastian
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0109 normal SHIPPED_LIVE glibc bug fix and enhancement update 2011-01-12 12:29:09 EST

  None (edit)
Description Jeff Bastian 2010-04-25 10:40:30 EDT
Description of problem:
segfaults can occur with MEMCHECK_ALLOC_=3 enabled.  This was reported and fixed upstream at
http://sourceware.org/bugzilla/show_bug.cgi?id=10282
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=cc49a5a8837be1f9307b167d9bf4399798a847c9

Version-Release number of selected component (if applicable):
glibc-2.5-49

How reproducible:
every time

Steps to Reproduce:
1. cat malloc_test.c
#include <stdlib.h>
#include <unistd.h>

int main(void)
{
#pragma omp parallel num_threads(256)
 while (1) {
   void *ptr = malloc(rand() % 65536);
   usleep((rand() % 100) * 100);
   free(ptr);
   usleep((rand() % 100) * 100);
 }
 return 0;
}

2. gcc -fopenmp -g -o malloc_check malloc_check.c

3. MALLOC_CHECK_=3 ./malloc_test
  
Actual results:
malloc: using debugging hooks
*** glibc detected *** ./malloc_test: free(): invalid pointer: 0x00000000043e9c90 ***


Expected results:
no segfaults

Additional info:
Comment 1 Jeff Bastian 2010-04-25 10:42:06 EDT
(Oops, MEMCHECK_ALLOC_ should have been MALLOC_CHECK_)
Comment 2 Jeff Bastian 2010-04-25 10:43:33 EDT
Created attachment 408960 [details]
malloc check patch

The upstream patch applied cleanly except for some line number fuzziness.  Attached is a slightly modified patch to correct the line numbers.
Comment 5 Tru Huynh 2010-06-10 05:01:55 EDT
also filled under http://bugs.centos.org/view.php?id=4370
Comment 6 Andreas Schwab 2010-09-15 09:37:31 EDT
*** Bug 633841 has been marked as a duplicate of this bug. ***
Comment 13 Martin Prpič 2010-12-02 06:18:50 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
Comment 15 errata-xmlrpc 2011-01-13 19:04:20 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0109.html

Note You need to log in before you can comment on or make changes to this bug.