aboutsummaryrefslogtreecommitdiff
path: root/malloc/malloc.c
diff options
context:
space:
mode:
authorWilco Dijkstra <wdijkstr@arm.com>2019-05-10 16:38:21 +0100
committerWilco Dijkstra <wdijkstr@arm.com>2019-05-10 16:38:21 +0100
commit5ad533e8e65092be962e414e0417112c65d154fb (patch)
treebb926e04c328e70f54fc026cbee805c52d9b2f6d /malloc/malloc.c
parent4aee85f96b881c1cb80a1fff752b8e2130a9a4d9 (diff)
downloadglibc-5ad533e8e65092be962e414e0417112c65d154fb.tar
glibc-5ad533e8e65092be962e414e0417112c65d154fb.tar.gz
glibc-5ad533e8e65092be962e414e0417112c65d154fb.tar.bz2
glibc-5ad533e8e65092be962e414e0417112c65d154fb.zip
Fix tcache count maximum (BZ #24531)
The tcache counts[] array is a char, which has a very small range and thus may overflow. When setting tcache_count tunable, there is no overflow check. However the tunable must not be larger than the maximum value of the tcache counts[] array, otherwise it can overflow when filling the tcache. [BZ #24531] * malloc/malloc.c (MAX_TCACHE_COUNT): New define. (do_set_tcache_count): Only update if count is small enough. * manual/tunables.texi (glibc.malloc.tcache_count): Document max value.
Diffstat (limited to 'malloc/malloc.c')
-rw-r--r--malloc/malloc.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 0e3d4dd516..b8baaa2706 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2905,6 +2905,8 @@ typedef struct tcache_perthread_struct
tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;
+#define MAX_TCACHE_COUNT 127 /* Maximum value of counts[] entries. */
+
static __thread bool tcache_shutting_down = false;
static __thread tcache_perthread_struct *tcache = NULL;
@@ -5098,8 +5100,11 @@ do_set_tcache_max (size_t value)
static __always_inline int
do_set_tcache_count (size_t value)
{
- LIBC_PROBE (memory_tunable_tcache_count, 2, value, mp_.tcache_count);
- mp_.tcache_count = value;
+ if (value <= MAX_TCACHE_COUNT)
+ {
+ LIBC_PROBE (memory_tunable_tcache_count, 2, value, mp_.tcache_count);
+ mp_.tcache_count = value;
+ }
return 1;
}