From patchwork Fri Dec 11 14:06:43 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "W. Hashimoto" <ssmallkirby@gmail.com>
X-Patchwork-Id: 41361
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 389BE385703B;
	Fri, 11 Dec 2020 14:07:51 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 389BE385703B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1607695671;
	bh=/CVRer7I4+BzXD86SjeRZTlbIa3kBM+fxwNh1ZAI3cE=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=blpqRaOE5TmuDULCHGaCXzL29HBaktiJGm4gNjyeBM8sCc0T+qqtI7uSFDDbfuHWS
	 GmFQgV+/3v+be76RoDfGbIa90Ix5Q394ELsX8zeuhm5eXRnoKt8HrZAj0V9OU1IcqH
	 piEYMqI3smmGgzaOfXRmYwMpYa0cwH7/6FC41ALw=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com
 [IPv6:2607:f8b0:4864:20::643])
 by sourceware.org (Postfix) with ESMTPS id 80251385703B
 for <libc-alpha@sourceware.org>; Fri, 11 Dec 2020 14:07:48 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 80251385703B
Received: by mail-pl1-x643.google.com with SMTP id u4so4621233plr.12
 for <libc-alpha@sourceware.org>; Fri, 11 Dec 2020 06:07:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=/CVRer7I4+BzXD86SjeRZTlbIa3kBM+fxwNh1ZAI3cE=;
 b=cSE9MTPDAcQor1Hs30W3my0maY+TLe1UqK7nme7DTv6/ftE+pm4YpgB2hyb2k/3sLN
 n3/DOMte/ZFmAq3cpQnxz7rcFN4lT8Bz/cXTaxldC61wdEp3Q5+uqwr9nxzRydCEZonR
 cvNi70JB+Do/y4jyxn0vcgMG25N8pjdelo9xz4n0TIZNg1Ox8RJtACAF77g4FxPZklCY
 MvPOUDPIgKQOI0WxRo3UqsJGkqGRujET4AXkac7tVFTKfh0g9jKZKlJO6F5c9oMeaF62
 Ta/I/cao7aN/20wWr0bo+Q4wp+nMsqSwF0urzjaBm2M3HzKHVwewRhRbyUYS7rGqYBWX
 q+QA==
X-Gm-Message-State: AOAM532sLHbkhNqPqomBqMqN0V6Grz5aMsbmNxuivD2BY4OEzGpDDm3W
 dF9+MBErnhNAvoPuBWcFcG9TKrmQvsuCBqtf
X-Google-Smtp-Source: 
 ABdhPJwWS1Yi4mbCkEdrZgdkkyxSN2J5GCnItL1ASiCwg6r8ZIiYp+pkJZJDHaibDLogStOp9WcMsA==
X-Received: by 2002:a17:90a:a394:: with SMTP id
 x20mr12897331pjp.24.1607695667341;
 Fri, 11 Dec 2020 06:07:47 -0800 (PST)
Received: from skbpc.flets-east.jp ([240b:10:a5c1:d100:28d0:8252:8646:f4a1])
 by smtp.gmail.com with ESMTPSA id o9sm10463854pgf.72.2020.12.11.06.07.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 11 Dec 2020 06:07:46 -0800 (PST)
To: libc-alpha@sourceware.org
Subject: [PATCH] malloc: tcache: detect infinite-loop in _int_free when
 freeing tcache [BZ#27052]
Date: Fri, 11 Dec 2020 23:06:43 +0900
Message-Id: <20201211140643.2476907-1-ssmallkirby@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Status: No, score=-13.1 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: "W. Hashimoto via Libc-alpha"
 <libc-alpha@sourceware.org>
From: "W. Hashimoto" <ssmallkirby@gmail.com>
Reply-To: "W. Hashimoto" <ssmallkirby@gmail.com>
Cc: "W. Hashimoto" <ssmallkirby@gmail.com>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

If linked-list of tcache contains a loop, it invokes infinite
loop in _int_free when freeing tcache. The PoC which invokes
such infinite loop is on the Bugzilla(#27052). This loop
should terminate when the loop exceeds mp_.tcache_count and
the program should abort. The affected glibc version is
2.29 or later.
---
 malloc/malloc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 5b87bdb081..aadae327bf 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4224,11 +4224,14 @@ _int_free (mstate av, mchunkptr p, int have_lock)
 	if (__glibc_unlikely (e->key == tcache))
 	  {
 	    tcache_entry *tmp;
+           size_t cnt = 0;
 	    LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
 	    for (tmp = tcache->entries[tc_idx];
 		 tmp;
-		 tmp = REVEAL_PTR (tmp->next))
+		 tmp = REVEAL_PTR (tmp->next), ++cnt)
 	      {
+               if (cnt >= mp_.tcache_count)
+                 malloc_printerr ("free(): too many chunks detected in tcache");
 		if (__glibc_unlikely (!aligned_OK (tmp)))
 		  malloc_printerr ("free(): unaligned chunk detected in tcache 2");
 		if (tmp == e)