mirror of
https://sourceware.org/git/glibc.git
synced 2025-01-05 09:01:07 +00:00
Fix race in corruption check.
With atomic fastbins the checks performed can race with concurrent modifications of the arena. If we detect a problem re-do the test after getting the lock.
This commit is contained in:
parent
bea0ac1d87
commit
bec466d922
@ -1,3 +1,9 @@
|
|||||||
|
2009-07-16 Ulrich Drepper <drepper@redhat.com>
|
||||||
|
Jakub Jelinek <jakub@redhat.com>
|
||||||
|
|
||||||
|
* malloc/malloc.c [ATOMIC_FASTBINS] (_int_free): Make check for
|
||||||
|
corruption thread-safe.
|
||||||
|
|
||||||
2009-07-13 Jakub Jelinek <jakub@redhat.com>
|
2009-07-13 Jakub Jelinek <jakub@redhat.com>
|
||||||
|
|
||||||
* include/atomic.h (catomic_compare_and_exchange_val_rel): If arch
|
* include/atomic.h (catomic_compare_and_exchange_val_rel): If arch
|
||||||
|
@ -4799,9 +4799,30 @@ _int_free(mstate av, mchunkptr p)
|
|||||||
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
|
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
|
||||||
>= av->system_mem, 0))
|
>= av->system_mem, 0))
|
||||||
{
|
{
|
||||||
|
#ifdef ATOMIC_FASTBINS
|
||||||
|
/* We might not have a lock at this point and concurrent modifications
|
||||||
|
of system_mem might have let to a false positive. Redo the test
|
||||||
|
after getting the lock. */
|
||||||
|
if (have_lock
|
||||||
|
|| ({ assert (locked == 0);
|
||||||
|
mutex_lock(&av->mutex);
|
||||||
|
locked = 1;
|
||||||
|
chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
|
||||||
|
|| chunksize (chunk_at_offset (p, size)) >= av->system_mem;
|
||||||
|
}))
|
||||||
|
#endif
|
||||||
|
{
|
||||||
errstr = "free(): invalid next size (fast)";
|
errstr = "free(): invalid next size (fast)";
|
||||||
goto errout;
|
goto errout;
|
||||||
}
|
}
|
||||||
|
#ifdef ATOMIC_FASTBINS
|
||||||
|
if (! have_lock)
|
||||||
|
{
|
||||||
|
(void)mutex_unlock(&av->mutex);
|
||||||
|
locked = 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
if (__builtin_expect (perturb_byte, 0))
|
if (__builtin_expect (perturb_byte, 0))
|
||||||
free_perturb (chunk2mem(p), size - SIZE_SZ);
|
free_perturb (chunk2mem(p), size - SIZE_SZ);
|
||||||
|
Loading…
Reference in New Issue
Block a user