malloc: tcache_get() may return another valid memory block
Commit Message
Hi,
The malloc function in the GNU C Library (aka glibc or libc6) since
2.26, may return a memory block which contain another valid memory block
pointer, potentially leading to memory leak.
This occurs because the function tcache_get() of per-thread cache (aka tcache) feature
does not set e->next = NULL.
with Safe-Linking support, the memory block pointer can be disclosed by REVEAL_PTR(&p).
---
malloc/malloc.c | 1 +
1 file changed, 1 insertion(+)
Comments
* wangxu:
> The malloc function in the GNU C Library (aka glibc or libc6) since
> 2.26, may return a memory block which contain another valid memory
> block pointer, potentially leading to memory leak.
Do you mean “memory leak” as in “information disclosure”?
Thanks,
Florian
@@ -2954,6 +2954,7 @@ tcache_get (size_t tc_idx)
tcache->entries[tc_idx] = REVEAL_PTR (e->next);
--(tcache->counts[tc_idx]);
e->key = NULL;
+ e->next = NULL;
return (void *) e;
}