From patchwork Thu Mar 4 16:30:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Szabolcs Nagy X-Patchwork-Id: 42243 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id B80CB3AA9C61; Thu, 4 Mar 2021 16:30:46 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B80CB3AA9C61 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1614875446; bh=fRAlWdAIGbLLdFoq1LM23MH64dnW6ELDPlohBRaT5N0=; h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=wYtvQUt1oCuMy+C3X+WzcLnY2ZhlPsmX7lzm41kdzrDPD0bN6S6iElif1R9Y/bfDF UCfXZmJK5n4vkRwMJ0PB4Z+5ZrxQvN/UZS6nbM0R3Ce+H2ppgIyn3AXiRU/jeTCZIY /qHIpiYH5KRxsEjgD96fYNKYf9LVeWFoA/RWFlBk= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2072.outbound.protection.outlook.com [40.107.22.72]) by sourceware.org (Postfix) with ESMTPS id 1B0123AA7CA4 for ; Thu, 4 Mar 2021 16:30:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 1B0123AA7CA4 Received: from AM5PR0202CA0003.eurprd02.prod.outlook.com (2603:10a6:203:69::13) by AS8PR08MB6360.eurprd08.prod.outlook.com (2603:10a6:20b:33e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.19; Thu, 4 Mar 2021 16:30:41 +0000 Received: from AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:69:cafe::7d) by AM5PR0202CA0003.outlook.office365.com (2603:10a6:203:69::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Thu, 4 Mar 2021 16:30:41 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT015.mail.protection.outlook.com (10.152.16.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Thu, 4 Mar 2021 16:30:41 +0000 Received: ("Tessian outbound 751bd80b3146:v71"); Thu, 04 Mar 2021 16:30:40 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: cbfed065fda1781c X-CR-MTA-TID: 64aa7808 Received: from 6427d2cf360c.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8358CE44-2641-4261-A882-5B1733C5613E.1; Thu, 04 Mar 2021 16:30:35 +0000 Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 6427d2cf360c.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 04 Mar 2021 16:30:35 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KgrxbJeWyBzMnpMvZzDZjZ6+/CJ79086q1owHUwb/c3HcZ1lKMsPswgL/rZqIVbcdPeKkL7YnjXyTbiuJPQhhK0jVLPit0PHf1JMarfk3lnNFtFn0afbuxQ2/tO2BiIZ6x87OJcTqYFw3S+yf8a71S/tZ5RECurGskuQ9hevOWQxk5y4xOcSACgXi8QWkkV/g02UoydamsGFVFyqzbz8TlAi2HGA1J82FNKYdUMs793CU1Okm0ad0vXwqvnZ8IGKL+1PvRJCmj8hRd+9x88mwg89GGb4YHx9vSm0z4I5OfbzGQRk+rjcBJq4IPW44rucIO60cNFy6gLm+8SRGmDvQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fRAlWdAIGbLLdFoq1LM23MH64dnW6ELDPlohBRaT5N0=; b=Fo0d/De14NFCbdOhfIY0/CeI0QorsSDK8hCHigcZY3KmffIpJ2B1HzuJdom5dkbS9aYGr7RxsYNh8Klb/Sf272LoEfrir1UBNC/xE8+IopnBBzxfsScXt5qOjXyycMsk80uWSCr+GXBQiomlhqY58p4cJdR+L99PWbd6j15VoYEx7cwWz9DmS4NfoIz4zU+c94mpWd9Knqzq63JC3AezRDglTa3cAOtuek2A9DZNJ88xIHuiAp0ngyBqeYW+2VArTRDBrhB40XxZtoZPd2fFd7jNnFZ8L8gGZI8b/kptFdjhIV59UeJHFRtThM3ac305sdMo74ImfYOmqHHm6l1e7Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none Authentication-Results-Original: sourceware.org; dkim=none (message not signed) header.d=none;sourceware.org; dmarc=none action=none header.from=arm.com; Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) by PAXPR08MB6381.eurprd08.prod.outlook.com (2603:10a6:102:151::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Thu, 4 Mar 2021 16:30:32 +0000 Received: from PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::60f0:3773:69b8:e336]) by PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::60f0:3773:69b8:e336%2]) with mapi id 15.20.3912.021; Thu, 4 Mar 2021 16:30:32 +0000 To: libc-alpha@sourceware.org, Richard.Earnshaw@arm.com, DJ Delorie Subject: [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468] Date: Thu, 4 Mar 2021 16:30:26 +0000 Message-Id: X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-Originating-IP: [217.140.106.55] X-ClientProxiedBy: LO2P265CA0382.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a3::34) To PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (217.140.106.55) by LO2P265CA0382.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a3::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.25 via Frontend Transport; Thu, 4 Mar 2021 16:30:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: c9f87a1d-9dd1-4b5b-61e4-08d8df2ada2e X-MS-TrafficTypeDiagnostic: PAXPR08MB6381:|AS8PR08MB6360: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:8882;OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: ciLWkAZisqT50tfhnMnm+Dgek8TLX0v1KccgBkzjlUq4l/+2vbN0vldTKkqMH5wFmHVAyz6vmB0SQHIg8VXVEHIuH8nZ/QQXOxKmdY9dykwNJCCGH2MuZDiOqNnhd6LTZnwbxObOOtHQX2l78RTh/z70hUDgrHCr2r/TpNqHxFB4lfeVBdx+nGcUnyvOvlrHcL5aybmEiysaFxGHwGQqt/xRgLO24hNK6ShLopi47go1NfrQ8jbkSp86dCcLuhFyFIleE6A/P3W9KtnU9Kq4WzShKJI1xl1xSVt98xlOJmjIpLwf/48Kvk4vFjrw1likYzdlCxQ8JgPXfC8dcCg2Xi2Q7h9+VWy5l7gM/eA5ate56bHyUMbLWFQmT2plR4ruEY3bPrfjp9gl3D8mmspWiDw1ta/Wvz4JM36tIP32fs2h1PBV70vHhlWa+iM8tGXgepxbF3vYPp2YiKvZSQRS9px2EAbp7D5HJieZavVdzGe0TEf+3ryEm7Wfiep47QqFeg2tXM7fWlakCW2yW67lgJbVFZiEET7ydN1lfCSH8mhrGga/Uw4eJ930AJ201N5jBtD0PMDTTZqQ/FyZWc5iXg== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(396003)(39850400004)(346002)(366004)(136003)(66476007)(83380400001)(66556008)(26005)(6666004)(5660300002)(52116002)(66946007)(8936002)(36756003)(6506007)(86362001)(6486002)(8676002)(316002)(2906002)(16526019)(186003)(44832011)(478600001)(6916009)(6512007)(69590400012)(956004)(2616005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 3QuOusQxmYN4U+J8AKtr4eOpkiGa7DkwdICCdGpb9/O2DSOnsnjIspFnAt5POiQZfhvH+jtY4My6BCIsxOK62jzff05XbmIFZwgxvgzzS0qlEkUWJ4dZPptMoUSTXYvxZRD9oox4vEl8Zzqqs5zA8SpFFPsyP7VDmLk/i+BOR6MIoiBwCS09RGX9gZoY9IMsIDI7j0CUyJLdR2PVmzE5SFd3cds6LAP8UAdERpzKJpicHpAYAm2ytT9uo7gBRoUWII7GHadhNRD++zIp5+UY9qPkm4YJdbA14GZSoMkihdw3Yl6DEIKpmaah5Gq+iwM43LmlR/ebylodE0QvmdFz73WAjkZZe4o+HcMuSlcptrcTFuKCqW0+8N5Dp9H4vGZBRQo6lWI12sG912JZQWklAhz3bwXEZBQGMuLYz/B2DIWaSHbL+moIxEoHII+xHrUvEKVNP5XawLmxplU48ROii8pNKXB3S4+xkffHhjDCDNez6rAe1J/IFDgStwI7Akdm4IUvK5CGEyJdTInMmLWAp4gByaCfkZlPuyOapaYrRli5sQ58eYce79ljV0Bsq+p3H6F9AzxAhLFz0qB1SX9i7dNlBoiVTN7d+yF5SrEoEAOsFiwX7iKpbbWv8N6OmGXhucKRSmEiOIbfgQ73OtSLnrRVCdD9S721sThxPy/waXiErcCggRxhBp4jFaZm6daAIgTqPeYBCD94yyFGbKqVsYajpqv3qEbdNVkKti/ndrEilq2t8/Buse9QZdxxK7+7V8iEGBgpcT1/3rv8hIyuWhpLAZqAVwROFIy3I7kEHeQXg81SKggKk9Uch+Gw/hzQTh69LjIa4ckOQMNv0MMEswX9kmFl7/xbXEoE/ElwHPtDlqOoc/k1MqmN6lBs8cXiAckV9o5N6tZ+xVDwFmSS95H+JiqJeh8jSgBb65w4zLNrUYXyKlpb+pkVOrClFY8Ajo6ZhN1yZXcsI07gRXeOKLeCpgDmKZCF8fSf5CHcNSsN5xqjq0R5/8jdPg88lMbgDndgBjBu8HQ1DsAmK9u4mkfjP1VlWJ+vmTk2g/Wtlq9F41W35Pg0RnH0q+e+RKUymszpB8lkafPfrLs3NVnfq2RP6zeCZSWWvENR09FbULGl8WuzhQ7boUPoAWN9zEVJEzJuxnAxi/JV/lGYVX0LXpMV/mRcZjzzN93uF0SIh/7lvTd885INxgbxj8GbnH1dKhoQVdACPQkBeyWS+Fxnan5ntg+EJs1Y945dk6mKA2rRIYSbF6wTaFdu81AAZ8gSgylz4vuFxdVXYYIcyc6T4tJbOHzM60GhTdDzOBlPW8aLgPYIwoBmbwFjpHriIH3e X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB6381 Original-Authentication-Results: sourceware.org; dkim=none (message not signed) header.d=none; sourceware.org; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: d6ed62e0-304e-455d-eb31-08d8df2ad4dc X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: su7tqeiJKLgKuslLyU45KmxhbpfS8yFA1W4+CyjQEb+CICa0eAfAAIhjkTzkGaM2iRmWMAt8V6/e78HMYmy+0mG+a+ELj45UgvEQcAP7MulIK9rDuFjCLiAbN4NW22Q9L2bIo1CWR0hKHIrz/EsEebSIYCAu5/cXxpIkd6Al+CG4yJ/2NYFjhez+UV8U1IORPH59UPi9TKTILVI/eJACDmiwyzQo45gEbxehb9ZJtSK+1DMSjMSZIR6bovV+I3hCUeaA4ZeJyLFjg5PndbrpeDe3wMjp9QkM4YywuJ9ZF3KRV/JQV4sY1rPb+F67mXUqA7Tqd1d8fZ18G+MVmM4fAzT0U7AXI67xcX2wF4xD7l/jpphZJ1Glb0kwhKrTo8kTv/Q4+8Wg3DViXdBH5Va13EtQmVEJ03ph5eRG/cgLIPMYNwGQ30EKTAUPocvhzG8ceXqFYC4BOd7iVhl2Qz8bHFoSDnPfOHEpxrpVHBWYMRecsuX2Sgp2Ncb6gAb1PKRRvQG400GdVJ5tNcKEHdayJu7Qr5oEGGytQfJhWJMUn/TMLjcacWbq2s60MWvxm9hrgRH43WeRfkuPemEfs0St2BxyXHusvG5IqwBLNaAdcN1LL7KFccVFLl/epBgHdLehNkUR2wxB1A0PLzVoIrAfngfyeGxv9I9EUf5zbHG1yuVHrViR1TwwL/JjTFreDoTH X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(346002)(39850400004)(396003)(136003)(36840700001)(46966006)(81166007)(36756003)(6862004)(83380400001)(356005)(6512007)(36860700001)(82310400003)(69590400012)(47076005)(82740400003)(2906002)(6506007)(2616005)(956004)(6486002)(8676002)(86362001)(478600001)(8936002)(316002)(5660300002)(26005)(186003)(70586007)(70206006)(44832011)(336012)(6666004)(16526019); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2021 16:30:41.4368 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c9f87a1d-9dd1-4b5b-61e4-08d8df2ada2e X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT015.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6360 X-Spam-Status: No, score=-14.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Szabolcs Nagy via Libc-alpha From: Szabolcs Nagy Reply-To: Szabolcs Nagy Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" _int_free must be called with a chunk that has its tag reset. This was missing in a rare case that could crash when heap tagging is enabled: when in a multi-threaded process the current arena runs out of memory during realloc, but another arena still has space to finish the realloc then _int_free was called without clearing the user allocation tags. And another _int_free call site in realloc used the wrong size for the tag clearing: the chunk header of the next chunk was also cleared which in practice is probably not a problem, but logically that belongs to a different chunk so it may cause trouble. Fixes bug 27468. --- malloc/malloc.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 1f4bbd8edf..10ea6aa441 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes) newp = __libc_malloc (bytes); if (newp != NULL) { - memcpy (newp, oldmem, oldsize - SIZE_SZ); + size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ; + memcpy (newp, oldmem, sz); + (void) TAG_REGION (chunk2rawmem (oldp), sz); _int_free (ar_ptr, oldp, 0); } } @@ -4850,10 +4852,10 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, else { void *oldmem = chunk2mem (oldp); + size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ; newmem = TAG_NEW_USABLE (newmem); - memcpy (newmem, oldmem, - CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ); - (void) TAG_REGION (chunk2rawmem (oldp), oldsize); + memcpy (newmem, oldmem, sz); + (void) TAG_REGION (chunk2rawmem (oldp), sz); _int_free (av, oldp, 1); check_inuse_chunk (av, newp); return chunk2mem (newp);