From patchwork Mon Jun  8 10:37:43 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mel Gorman <mgorman@suse.de>
X-Patchwork-Id: 7070
Received: (qmail 12377 invoked by alias); 8 Jun 2015 10:37:55 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 12363 invoked by uid 89); 8 Jun 2015 10:37:54 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL, BAYES_00,
	KAM_LAZY_DOMAIN_SECURITY,
	T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mx2.suse.de
Date: Mon, 8 Jun 2015 11:37:43 +0100
From: Mel Gorman <mgorman@suse.de>
To: Siddhesh Poyarekar <siddhesh@redhat.com>,
	Carlos O'Donell <carlos@redhat.com>
Cc: Andreas Schwab <schwab@linux-m68k.org>, libc-alpha@sourceware.org
Subject: [PATCH] [v2] malloc: Do not corrupt the top of a threaded heap if
	top chunk is MINSIZE [BZ #18502]
Message-ID: <20150608103743.GN26425@suse.de>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)

mksquashfs was reported in openSUSE to be causing segmentation faults when
creating installation images. Testing showed that mksquashfs sometimes
failed and could be reproduced within 10 attempts. The core dump looked
like the heap top was corrupted and was pointing to an unmapped area. In
other cases, this has been due to an application corrupting glibc structures
but mksquashfs appears to be fine in this regard.

The problem is that heap_trim is "growing" the top into unmapped space.
If the top chunk == MINSIZE then top_area is -1 and this check does not
behave as expected due to a signed/unsigned comparison

  if (top_area <= pad)
    return 0;

The next calculation extra = ALIGN_DOWN(top_area - pad, pagesz) calculates
extra as a negative number which also is unnoticed due to a signed/unsigned
comparison. We then call shrink_heap(heap, negative_number) which crashes
later. This patch adds a simple check against MINSIZE to make sure extra
does not become negative.

Without the patch, mksquash fails within 10 attempts. With the patch,
1000 tests completed successfully. The standard test suite "make check"
showed no changes in the summary of test results.
---
2015-06-08  Mel Gorman  <mgorman@suse.de>

  [BZ #18502]
  * malloc/arena.c: Avoid corruption of the top of heaps for threads

 malloc/arena.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malloc/arena.c b/malloc/arena.c
index 2466697d1aa7..b932574ccaf8 100644
--- a/malloc/arena.c
+++ b/malloc/arena.c
@@ -698,6 +698,9 @@ heap_trim (heap_info *heap, size_t pad)
   /* Uses similar logic for per-thread arenas as the main arena with systrim
      by preserving the top pad and at least a page.  */
   top_size = chunksize (top_chunk);
+  if (top_size == MINSIZE)
+    return 0;
+
   top_area = top_size - MINSIZE - 1;
   if (top_area <= pad)
     return 0;