FS#57350 - [glibc] Doesn't raise errors on double free corruption
Attached to Project:
Arch Linux
Opened by Joel (torpe23) - Saturday, 03 February 2018, 07:16 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Thursday, 08 February 2018, 18:41 GMT
Opened by Joel (torpe23) - Saturday, 03 February 2018, 07:16 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Thursday, 08 February 2018, 18:41 GMT
|
Details
According to "man mallopt", the default behavior in case of
double free corruption should be "Print detailed error
message, stack trace, and memory mappings, and abort the
program".
This is not the case when compiling and running a program in Arch. For example: $ cat toto.c #include <stdio.h> #include <stdlib.h> int main(void) { int *a; a = malloc(20); free(a); free(a); return 0; } $ make toto cc toto.c -o toto $ ./toto $ Worse, if I specified the value 2 to mallopt(), explicitly requiring to abort the program upon malloc errors (such a double free), nothing happens either. $ cat toto.c #include <malloc.h> #include <stdio.h> #include <stdlib.h> int main(void) { int *a; mallopt(M_CHECK_ACTION, 2); a = malloc(20); free(a); free(a); return 0; } $ make toto cc toto.c -o toto $ ./toto $ The process should get killed by an abort signal. Any idea what would be the cause of the program not crashing? |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Thursday, 08 February 2018, 18:41 GMT
Reason for closing: Not a bug
Thursday, 08 February 2018, 18:41 GMT
Reason for closing: Not a bug
double free or corruption (top)
Aborted (core dumped)
I have no idea if there is some threshold somewhere.
See the code for tcache use in free https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=f8e7250f70f6f26b0acb5901bcc4f6e39a8a52b2;hb=HEAD#l4165
I also just opened a bug report with glibc directly: https://sourceware.org/bugzilla/show_bug.cgi?id=22780
https://sourceware.org/git/?p=glibc.git;a=blob;f=manual/memory.texi;h=b95f6aa1b9b8fe658fccfb92165f7084808760c5;hb=HEAD