Fix race in corruption check.

With atomic fastbins the checks performed can race with concurrent modifications of the arena. If we detect a problem re-do the test after getting the lock.
git-mirror · Jul 16, 2009 · bec466d · bec466d
1 parent bea0ac1
commit bec466d
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+2009-07-16  Ulrich Drepper  <drepper@redhat.com>
+	    Jakub Jelinek  <jakub@redhat.com>
+
+	* malloc/malloc.c [ATOMIC_FASTBINS] (_int_free): Make check for
+	corruption thread-safe.
+
 2009-07-13  Jakub Jelinek  <jakub@redhat.com>
 
 	* include/atomic.h (catomic_compare_and_exchange_val_rel): If arch

diff --git a/malloc/malloc.c b/malloc/malloc.c
@@ -4799,8 +4799,29 @@ _int_free(mstate av, mchunkptr p)
 	|| __builtin_expect (chunksize (chunk_at_offset (p, size))
 			     >= av->system_mem, 0))
       {
-	errstr = "free(): invalid next size (fast)";
-	goto errout;
+#ifdef ATOMIC_FASTBINS
+	/* We might not have a lock at this point and concurrent modifications
+	   of system_mem might have let to a false positive.  Redo the test
+	   after getting the lock.  */
+	if (have_lock
+	    || ({ assert (locked == 0);
+		  mutex_lock(&av->mutex);
+		  locked = 1;
+		  chunk_at_offset (p, size)->size <= 2 * SIZE_SZ
+		    || chunksize (chunk_at_offset (p, size)) >= av->system_mem;
+	      }))
+#endif
+	  {
+	    errstr = "free(): invalid next size (fast)";
+	    goto errout;
+	  }
+#ifdef ATOMIC_FASTBINS
+	if (! have_lock)
+	  {
+	    (void)mutex_unlock(&av->mutex);
+	    locked = 0;
+	  }
+#endif
       }
 
     if (__builtin_expect (perturb_byte, 0))