malloc: Add another test for tcache double free check.

Message ID xnbm65sz0v.fsf@greed.delorie.com
State New
Headers show
Series
  • malloc: Add another test for tcache double free check.
Related show

Commit Message

DJ Delorie Dec. 1, 2018, 3:32 a.m.
This one tests for RHBZ#1652495 where the double free
test didn't check the tcache bin bounds before dereferencing
the bin.

	* malloc/tst-tcfree3.c: New.
	* malloc/Makefile: Add it.

Comments

Carlos O'Donell Dec. 1, 2018, 3:58 a.m. | #1
On 11/30/18 10:32 PM, DJ Delorie wrote:
> This one tests for RHBZ#1652495 where the double free

> test didn't check the tcache bin bounds before dereferencing

> the bin.


OK for master if you tested it catches the bug, and you fixup
the comments below.

Reviewed-by: Carlos O'Donell <carlos@redhat.co>


Did you test that the test crashes without Florian's fix, but
with your doubl-free code enabled?

Needs a bug number in ChangeLog:
	[BZ #23907]

> 	* malloc/tst-tcfree3.c: New.

> 	* malloc/Makefile: Add it.

> 

> diff --git a/malloc/Makefile b/malloc/Makefile

> index e6dfbfc14c..388cf7e9ee 100644

> --- a/malloc/Makefile

> +++ b/malloc/Makefile

> @@ -38,7 +38,7 @@ tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \

>  	 tst-malloc_info \

>  	 tst-malloc-too-large \

>  	 tst-malloc-stats-cancellation \

> -	 tst-tcfree1 tst-tcfree2 \

> +	 tst-tcfree1 tst-tcfree2 tst-tcfree3 \


Ok.

>  

>  tests-static := \

>  	 tst-interpose-static-nothread \

> diff --git a/malloc/tst-tcfree3.c b/malloc/tst-tcfree3.c

> new file mode 100644

> index 0000000000..1db6d2b220

> --- /dev/null

> +++ b/malloc/tst-tcfree3.c

> @@ -0,0 +1,56 @@

> +/* Test that malloc tcache catches double free.

> +   Copyright (C) 2018 Free Software Foundation, Inc.

> +   This file is part of the GNU C Library.

> +

> +   The GNU C Library is free software; you can redistribute it and/or

> +   modify it under the terms of the GNU Lesser General Public

> +   License as published by the Free Software Foundation; either

> +   version 2.1 of the License, or (at your option) any later version.

> +

> +   The GNU C Library is distributed in the hope that it will be useful,

> +   but WITHOUT ANY WARRANTY; without even the implied warranty of

> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

> +   Lesser General Public License for more details.

> +

> +   You should have received a copy of the GNU Lesser General Public

> +   License along with the GNU C Library; if not, see

> +   <http://www.gnu.org/licenses/>.  */

> +

> +#include <malloc.h>

> +#include <string.h>

> +

> +/* Prevent GCC from optimizing away any malloc/free pairs.  */

> +#pragma GCC optimize ("O0")

> +

> +static int

> +do_test (void)

> +{

> +  /* Do two allocation of any size that fit in tcache, and one that

> +     doesn't.  */

> +  int ** volatile a = malloc (32);

> +  int ** volatile b = malloc (32);

> +  /* This is just under the MMAP threshold.  */


s/MMAP/mmap/g

> +  int ** volatile c = malloc (127 * 1024);

> +

> +  /* The invalid "tcache bucket" we might dereference will likely end

> +     up somewhere within this memory block, so make all the accidental

> +     "next" pointers cause segfaults.  RHBZ#1652495.  */


s/RHBZ#1652495/BZ #23907/g

> +  memset (c, 0xff, 127 * 1024);

> +

> +  free (a); // puts in tcache

> +

> +  /* A is now free and contains the key we use to detect in-tcache.

> +     Copy the key to the other chunks.  */

> +  memcpy (b, a, 32);

> +  memcpy (c, a, 32);

> +

> +  /* This free tests the "are we in the tcache already" loop with a

> +     VALID bin but "coincidental" matching key.  */

> +  free (b); // should NOT abort

> +  /* This free tests the "is it a valid tcache bin" test.  */

> +  free (c); // should NOT abort

> +  

> +  return 0;

> +}

> +

> +#include <support/test-driver.c>

> 



-- 
Cheers,
Carlos.

Patch

diff --git a/malloc/Makefile b/malloc/Makefile
index e6dfbfc14c..388cf7e9ee 100644
--- a/malloc/Makefile
+++ b/malloc/Makefile
@@ -38,7 +38,7 @@  tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \
 	 tst-malloc_info \
 	 tst-malloc-too-large \
 	 tst-malloc-stats-cancellation \
-	 tst-tcfree1 tst-tcfree2 \
+	 tst-tcfree1 tst-tcfree2 tst-tcfree3 \
 
 tests-static := \
 	 tst-interpose-static-nothread \
diff --git a/malloc/tst-tcfree3.c b/malloc/tst-tcfree3.c
new file mode 100644
index 0000000000..1db6d2b220
--- /dev/null
+++ b/malloc/tst-tcfree3.c
@@ -0,0 +1,56 @@ 
+/* Test that malloc tcache catches double free.
+   Copyright (C) 2018 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <malloc.h>
+#include <string.h>
+
+/* Prevent GCC from optimizing away any malloc/free pairs.  */
+#pragma GCC optimize ("O0")
+
+static int
+do_test (void)
+{
+  /* Do two allocation of any size that fit in tcache, and one that
+     doesn't.  */
+  int ** volatile a = malloc (32);
+  int ** volatile b = malloc (32);
+  /* This is just under the MMAP threshold.  */
+  int ** volatile c = malloc (127 * 1024);
+
+  /* The invalid "tcache bucket" we might dereference will likely end
+     up somewhere within this memory block, so make all the accidental
+     "next" pointers cause segfaults.  RHBZ#1652495.  */
+  memset (c, 0xff, 127 * 1024);
+
+  free (a); // puts in tcache
+
+  /* A is now free and contains the key we use to detect in-tcache.
+     Copy the key to the other chunks.  */
+  memcpy (b, a, 32);
+  memcpy (c, a, 32);
+
+  /* This free tests the "are we in the tcache already" loop with a
+     VALID bin but "coincidental" matching key.  */
+  free (b); // should NOT abort
+  /* This free tests the "is it a valid tcache bin" test.  */
+  free (c); // should NOT abort
+  
+  return 0;
+}
+
+#include <support/test-driver.c>