From: Rich Felker <dalias@libc.org>
To: Benedict <hymeng90@126.com>
Cc: musl <musl@lists.openwall.com>
Subject: Re: [musl] realloc buffer overflow issue
Date: Sun, 28 Feb 2021 11:48:40 -0500 [thread overview]
Message-ID: <20210228164839.GE32655@brightrain.aerifal.cx> (raw)
In-Reply-To: <32f125fa.2032.177e95996dd.Coremail.hymeng90@126.com>
On Sun, Feb 28, 2021 at 11:54:58PM +0800, Benedict wrote:
> I found an memory leak issue in my multi-thread, which had fixed issue by the following patch
>
>
>
> https://git.musl-libc.org/cgit/musl/commit/src/malloc?id=3e16313f8fe2ed143ae0267fd79d63014c24779f
>
>
>
>
>
>
> about this patch, I think it involved a bug for realloc function:
> when the request size 'n' (the second paramter passed to realloc)
> lesser than the original memory size 'n0' (the memory block that
> first paramter of realloc pointed to) and the next chunk of 'self '
> is in used state, the realloc should call trim(self, n) to split
> current chunk rather than call malloc, that will cause memcpy buffer
> overflow due to 'n < n0', and it will cause next malloc crash...
>
>
> after fix, I think it should be like:
> lock(mal.split_merge_lock);
>
>
> size_t nsize = next->csize & C_INUSE ? 0 : CHUNK_SIZE(next);
> if (nsize)) {
> int i = bin_index(nsize);
> lock_bin(i);
> if (!(next->csize & C_INUSE)) {
> unbin(next, i);
> next = NEXT_CHUNK(next);
> self->csize = next->psize = n0+nsize | C_INUSE;
> }
> unlock_bin(i);
> }
>
> if(CHUNK_SIZE(self) >= n) {
> trim(self, n);
> unlock(mal.split_merge_lock);
> return CHUNK_TO_MEM(self);
> }
> unlock(mal.split_merge_lock);
>
>
> copy_realloc:
> /* As a last resort, allocate a new chunk and copy to it. */
> new = malloc(n-OVERHEAD);
> if (!new) return 0;
> copy_free_ret:
> memcpy(new, p, n0-OVERHEAD);
> free(CHUNK_TO_MEM(self));
> return new;
I haven't looked in detail yet but isn't this the same bug fixed a
week after it was introduced with commits
cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46 and
fca7428c096066482d8c3f52450810288e27515c ?
Rich
prev parent reply other threads:[~2021-02-28 16:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-28 15:54 Benedict
2021-02-28 16:48 ` Rich Felker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210228164839.GE32655@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=hymeng90@126.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).