Bug 585674 - free() race in mcheck hooks
Summary: free() race in mcheck hooks
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc (Show other bugs)
(Show other bugs)
Version: 5.5
Hardware: All Linux
high
high
Target Milestone: rc
: ---
Assignee: Andreas Schwab
QA Contact: qe-baseos-tools
URL:
Whiteboard:
Keywords: Patch, ZStream
: 633841 (view as bug list)
Depends On:
Blocks: 637067
TreeView+ depends on / blocked
 
Reported: 2010-04-25 14:40 UTC by Jeff Bastian
Modified: 2018-11-14 19:38 UTC (History)
6 users (show)

Fixed In Version: glibc-2.5-54
Doc Type: Bug Fix
Doc Text:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-14 00:04:20 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
malloc check patch (4.12 KB, patch)
2010-04-25 14:43 UTC, Jeff Bastian
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0109 normal SHIPPED_LIVE glibc bug fix and enhancement update 2011-01-12 17:29:09 UTC

Description Jeff Bastian 2010-04-25 14:40:30 UTC
Description of problem:
segfaults can occur with MEMCHECK_ALLOC_=3 enabled.  This was reported and fixed upstream at
http://sourceware.org/bugzilla/show_bug.cgi?id=10282
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=cc49a5a8837be1f9307b167d9bf4399798a847c9

Version-Release number of selected component (if applicable):
glibc-2.5-49

How reproducible:
every time

Steps to Reproduce:
1. cat malloc_test.c
#include <stdlib.h>
#include <unistd.h>

int main(void)
{
#pragma omp parallel num_threads(256)
 while (1) {
   void *ptr = malloc(rand() % 65536);
   usleep((rand() % 100) * 100);
   free(ptr);
   usleep((rand() % 100) * 100);
 }
 return 0;
}

2. gcc -fopenmp -g -o malloc_check malloc_check.c

3. MALLOC_CHECK_=3 ./malloc_test
  
Actual results:
malloc: using debugging hooks
*** glibc detected *** ./malloc_test: free(): invalid pointer: 0x00000000043e9c90 ***


Expected results:
no segfaults

Additional info:

Comment 1 Jeff Bastian 2010-04-25 14:42:06 UTC
(Oops, MEMCHECK_ALLOC_ should have been MALLOC_CHECK_)

Comment 2 Jeff Bastian 2010-04-25 14:43:33 UTC
Created attachment 408960 [details]
malloc check patch

The upstream patch applied cleanly except for some line number fuzziness.  Attached is a slightly modified patch to correct the line numbers.

Comment 5 Tru Huynh 2010-06-10 09:01:55 UTC
also filled under http://bugs.centos.org/view.php?id=4370

Comment 6 Andreas Schwab 2010-09-15 13:37:31 UTC
*** Bug 633841 has been marked as a duplicate of this bug. ***

Comment 13 Martin Prpič 2010-12-02 11:18:50 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.

Comment 15 errata-xmlrpc 2011-01-14 00:04:20 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0109.html


Note You need to log in before you can comment on or make changes to this bug.