From patchwork Fri May 8 12:02:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wangxu X-Patchwork-Id: 38933 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 0B2763851C0E; Fri, 8 May 2020 12:03:01 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from huawei.com (szxga03-in.huawei.com [45.249.212.189]) by sourceware.org (Postfix) with ESMTPS id 573C53851C0E for ; Fri, 8 May 2020 12:02:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 573C53851C0E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=huawei.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=wangxu72@huawei.com Received: from DGGEML402-HUB.china.huawei.com (unknown [172.30.72.56]) by Forcepoint Email with ESMTP id 9017A3FD1A68C13AC8BA; Fri, 8 May 2020 20:02:53 +0800 (CST) Received: from DGGEML525-MBX.china.huawei.com ([169.254.1.227]) by DGGEML402-HUB.china.huawei.com ([fe80::fca6:7568:4ee3:c776%31]) with mapi id 14.03.0487.000; Fri, 8 May 2020 20:02:47 +0800 From: "wangxu (AE)" To: "libc-alpha@sourceware.org" , "fw@deneb.enyo.de" , "dj@redhat.com" , "zackw@panix.com" Subject: malloc: tcache_get() may return another valid memory block Thread-Topic: malloc: tcache_get() may return another valid memory block Thread-Index: AdYlAQvx0q/OQGtlQ02C2qnLitEXJQ== Date: Fri, 8 May 2020 12:02:46 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.67.103.71] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Spam-Status: No, score=-14.0 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_STATUS, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nixiaoming , "Wangle \(RTOS FAE\)" , "Chengang \(L\)" Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" Hi, The malloc function in the GNU C Library (aka glibc or libc6) since 2.26, may return a memory block which contain another valid memory block pointer, potentially leading to memory leak. This occurs because the function tcache_get() of per-thread cache (aka tcache) feature does not set e->next = NULL. with Safe-Linking support, the memory block pointer can be disclosed by REVEAL_PTR(&p). --- malloc/malloc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index ee87ddb..8dfb20b 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -2954,6 +2954,7 @@ tcache_get (size_t tc_idx) tcache->entries[tc_idx] = REVEAL_PTR (e->next); --(tcache->counts[tc_idx]); e->key = NULL; + e->next = NULL; return (void *) e; }