585674 – free() race in mcheck hooks

Bug 585674 - free() race in mcheck hooks

Summary: free() race in mcheck hooks

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schwab
QA Contact:	qe-baseos-tools-bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	633841 (view as bug list)
Depends On:
Blocks:	637067
TreeView+	depends on / blocked

Reported:	2010-04-25 14:40 UTC by Jeff Bastian
Modified:	2018-11-14 19:38 UTC (History)
CC List:	6 users (show)
Fixed In Version:	glibc-2.5-54
Doc Type:	Bug Fix
Doc Text:	Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.
Clone Of:
Environment:
Last Closed:	2011-01-14 00:04:20 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
malloc check patch (4.12 KB, patch) 2010-04-25 14:43 UTC, Jeff Bastian	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0109	0	normal	SHIPPED_LIVE	glibc bug fix and enhancement update	2011-01-12 17:29:09 UTC

Description Jeff Bastian 2010-04-25 14:40:30 UTC

Description of problem:
segfaults can occur with MEMCHECK_ALLOC_=3 enabled.  This was reported and fixed upstream at
http://sourceware.org/bugzilla/show_bug.cgi?id=10282
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=cc49a5a8837be1f9307b167d9bf4399798a847c9

Version-Release number of selected component (if applicable):
glibc-2.5-49

How reproducible:
every time

Steps to Reproduce:
1. cat malloc_test.c
#include <stdlib.h>
#include <unistd.h>

int main(void)
{
#pragma omp parallel num_threads(256)
 while (1) {
   void *ptr = malloc(rand() % 65536);
   usleep((rand() % 100) * 100);
   free(ptr);
   usleep((rand() % 100) * 100);
 }
 return 0;
}

2. gcc -fopenmp -g -o malloc_check malloc_check.c

3. MALLOC_CHECK_=3 ./malloc_test
  
Actual results:
malloc: using debugging hooks
*** glibc detected *** ./malloc_test: free(): invalid pointer: 0x00000000043e9c90 ***


Expected results:
no segfaults

Additional info:

Comment 1 Jeff Bastian 2010-04-25 14:42:06 UTC

(Oops, MEMCHECK_ALLOC_ should have been MALLOC_CHECK_)

Comment 2 Jeff Bastian 2010-04-25 14:43:33 UTC

Created attachment 408960 [details]
malloc check patch

The upstream patch applied cleanly except for some line number fuzziness.  Attached is a slightly modified patch to correct the line numbers.

Comment 5 Tru Huynh 2010-06-10 09:01:55 UTC

also filled under http://bugs.centos.org/view.php?id=4370

Comment 6 Andreas Schwab 2010-09-15 13:37:31 UTC

*** Bug 633841 has been marked as a duplicate of this bug. ***

Comment 13 Martin Prpič 2010-12-02 11:18:50 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to a race in the 'free()' function, enabling 'MALLOC_CHECK_' could cause a segmentation fault. This update adds proper locking in the 'free()' function to prevent the aforementioned segmentation fault.

Comment 15 errata-xmlrpc 2011-01-14 00:04:20 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0109.html

Note You need to log in before you can comment on or make changes to this bug.