From 7c9a7c68363051cfc5fa1ebb96b3b2c1f82dcb76 Mon Sep 17 00:00:00 2001 From: DJ Delorie Date: Fri, 30 Nov 2018 22:13:09 -0500 Subject: malloc: Add another test for tcache double free check. This one tests for BZ#23907 where the double free test didn't check the tcache bin bounds before dereferencing the bin. [BZ #23907] * malloc/tst-tcfree3.c: New. * malloc/Makefile: Add it. --- ChangeLog | 6 ++++++ malloc/Makefile | 2 +- malloc/tst-tcfree3.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 malloc/tst-tcfree3.c diff --git a/ChangeLog b/ChangeLog index 2a5fad3372..7c4b061ec5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2018-12-07 DJ Delorie + + [BZ #23907] + * malloc/tst-tcfree3.c: New. + * malloc/Makefile: Add it. + 2018-12-07 H.J. Lu * include/sched.h (__getcpu): Don't use __typeof__ (getcpu). diff --git a/malloc/Makefile b/malloc/Makefile index e6dfbfc14c..388cf7e9ee 100644 --- a/malloc/Makefile +++ b/malloc/Makefile @@ -38,7 +38,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ tst-malloc_info \ tst-malloc-too-large \ tst-malloc-stats-cancellation \ - tst-tcfree1 tst-tcfree2 \ + tst-tcfree1 tst-tcfree2 tst-tcfree3 \ tests-static := \ tst-interpose-static-nothread \ diff --git a/malloc/tst-tcfree3.c b/malloc/tst-tcfree3.c new file mode 100644 index 0000000000..016d30ddd8 --- /dev/null +++ b/malloc/tst-tcfree3.c @@ -0,0 +1,56 @@ +/* Test that malloc tcache catches double free. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include + +/* Prevent GCC from optimizing away any malloc/free pairs. */ +#pragma GCC optimize ("O0") + +static int +do_test (void) +{ + /* Do two allocation of any size that fit in tcache, and one that + doesn't. */ + int ** volatile a = malloc (32); + int ** volatile b = malloc (32); + /* This is just under the mmap threshold. */ + int ** volatile c = malloc (127 * 1024); + + /* The invalid "tcache bucket" we might dereference will likely end + up somewhere within this memory block, so make all the accidental + "next" pointers cause segfaults. BZ #23907. */ + memset (c, 0xff, 127 * 1024); + + free (a); // puts in tcache + + /* A is now free and contains the key we use to detect in-tcache. + Copy the key to the other chunks. */ + memcpy (b, a, 32); + memcpy (c, a, 32); + + /* This free tests the "are we in the tcache already" loop with a + VALID bin but "coincidental" matching key. */ + free (b); // should NOT abort + /* This free tests the "is it a valid tcache bin" test. */ + free (c); // should NOT abort + + return 0; +} + +#include -- cgit v1.2.3