[Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c

fweimer at redhat dot com
Null pointer dereference (problem and fix)

I'm doing some funky hand optimized code in mmap'd regions. I get a NULL pointer
dereference if I call calloc() but not if I call malloc().  The code block in in
arena_get2() arena.c is:

  do {
    if(!mutex_trylock(&a->mutex)) {
      if (retried)
        (void)mutex_unlock(&list_lock);
      THREAD_STAT(++(a->stat_lock_loop));
      tsd_setspecific(arena_key, (Void_t *)a);
      return a;
    }
    a = a->next;
  } while(a != a_tsd);

After a few times around the loop, a is NULL resulting in a NULL pointer
dereference when trying to access a->mutex.  The comment indicates that this
should be a circular list.  I'm not sure why there's a NULL, but a simple check
fixes the problem.  If i call the same code from a shared library, no problem.
If I do a bunch of malloc() sleep() free() block, It doesn't crash.  If I set
the MALLOC_CHECK_ flag, it doesn't crash.  Overall an interesting bug to track
down.  I manually checked each heap header to verify I'm not smashing any of the
headers.

  do {
>>>>>>>>>>>>>>>>>>>>>>
    if (!a) break;
<<<<<<<<<<<<<<<<<<<<<<
    if(!mutex_trylock(&a->mutex)) {
      if (retried)
        (void)mutex_unlock(&list_lock);
      THREAD_STAT(++(a->stat_lock_loop));
      tsd_setspecific(arena_key, (Void_t *)a);
      return a;
    }
    a = a->next;
  } while(a != a_tsd);

I've verified it on REL4 (can we even call it linux anymore) and gentoo.

Jason

--
           Summary: Null pointer dereference in arena_get2() in arena.c
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: larsj at inel dot gov
                CC: glibc-bugs at sources dot redhat dot com
  GCC host triplet: i386-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=3769

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/3769] Null pointer dereference in arena_get2() in arena.c

fweimer at redhat dot com

------- Additional Comments From drepper at redhat dot com  2006-12-20 19:32 -------
This indicates you have a buffer overflow.  Debug it using techniques like
valgind and mudflap.

--
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME


http://sourceware.org/bugzilla/show_bug.cgi?id=3769

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.