[Bug 794605] [NEW] glibc deadlock on "top chunk is corrupt"
David Sklar
794605 at bugs.launchpad.net
Wed Jun 8 14:50:36 UTC 2011
Public bug reported:
The following program deadlocks when run with MALLOC_CHECK_=3 an
argument of 1 (triggering the strcpy)
===
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
char *p;
p = malloc(20);
if ((argc > 1) && atoi(argv[1])) {
strcpy(p,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
}
free(p);
free(p);
}
==
That is, if you save it as double-free.c and compile it with "gcc -o
double-free double-free.c" and then run "MALLOC_CHECK_=3 ./double-free
1", you'll see:
*** glibc detected *** /home/you/double-free: free(): invalid pointer: 0x0000000000602010 ***
*** glibc detected *** /home/you/double-free: malloc: top chunk is corrupt: 0x0000000000602020 ***
And then it'll just sit there. A backtrace with gdb reveals:
#0 __lll_lock_wait_private ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:97
#1 0x00007ffff7ad7e63 in _L_lock_9561 () from /lib/libc.so.6
#2 0x00007ffff7ad521b in malloc_check (sz=106, caller=<value optimized out>)
at hooks.c:263
#3 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:138
#4 0x00007ffff7ad288a in malloc_printerr () at malloc.c:6283
#5 top_check () at hooks.c:222
#6 0x00007ffff7ad5220 in malloc_check (sz=101, caller=<value optimized out>)
at hooks.c:264
#7 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:138
#8 0x00007ffff7ad04b6 in malloc_printerr (action=3,
str=0x7ffff7ba0e33 "free(): invalid pointer", ptr=<value optimized out>)
at malloc.c:6283
#9 0x0000000000400633 in main (argc=2, argv=0x7fffffffec38) at double-free.c:14
This seems similar to https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/425723 in that re-entrant behavior in malloc diagnostics is trying to re-aquire a mutex that's already been acquired. In malloc/hooks.c, when top_check() calls malloc_printerr() at line 222, maybe there needs to be a "void)mutex_unlock(&main_arena.mutex);" first? I am not sure if that would cause other problems.
lsb_release -rd on my system says:
Description: Ubuntu 10.10
Release: 10.10
apt-cache policy libc6 says:
libc6:
Installed: 2.12.1-0ubuntu10.2
Candidate: 2.12.1-0ubuntu10.2
Version table:
*** 2.12.1-0ubuntu10.2 0
500 http://ubuntu-mirror/ubuntu/ maverick-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.12.1-0ubuntu10.1 0
500 http://ubuntu-mirror/ubuntu/ maverick-security/main amd64 Packages
2.12.1-0ubuntu6 0
500 http://ubuntu-mirror/ubuntu/ maverick/main amd64 Packages
uname -a says (hostname scrubbed):
Linux host.domain.com 2.6.35-28-server #50-Ubuntu SMP Fri Mar 18
18:59:25 UTC 2011 x86_64 GNU/Linux
** Affects: eglibc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/794605
Title:
glibc deadlock on "top chunk is corrupt"
Status in “eglibc” package in Ubuntu:
New
Bug description:
The following program deadlocks when run with MALLOC_CHECK_=3 an
argument of 1 (triggering the strcpy)
===
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
char *p;
p = malloc(20);
if ((argc > 1) && atoi(argv[1])) {
strcpy(p,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
}
free(p);
free(p);
}
==
That is, if you save it as double-free.c and compile it with "gcc -o
double-free double-free.c" and then run "MALLOC_CHECK_=3 ./double-free
1", you'll see:
*** glibc detected *** /home/you/double-free: free(): invalid pointer: 0x0000000000602010 ***
*** glibc detected *** /home/you/double-free: malloc: top chunk is corrupt: 0x0000000000602020 ***
And then it'll just sit there. A backtrace with gdb reveals:
#0 __lll_lock_wait_private ()
at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:97
#1 0x00007ffff7ad7e63 in _L_lock_9561 () from /lib/libc.so.6
#2 0x00007ffff7ad521b in malloc_check (sz=106, caller=<value optimized out>)
at hooks.c:263
#3 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:138
#4 0x00007ffff7ad288a in malloc_printerr () at malloc.c:6283
#5 top_check () at hooks.c:222
#6 0x00007ffff7ad5220 in malloc_check (sz=101, caller=<value optimized out>)
at hooks.c:264
#7 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:138
#8 0x00007ffff7ad04b6 in malloc_printerr (action=3,
str=0x7ffff7ba0e33 "free(): invalid pointer", ptr=<value optimized out>)
at malloc.c:6283
#9 0x0000000000400633 in main (argc=2, argv=0x7fffffffec38) at double-free.c:14
This seems similar to https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/425723 in that re-entrant behavior in malloc diagnostics is trying to re-aquire a mutex that's already been acquired. In malloc/hooks.c, when top_check() calls malloc_printerr() at line 222, maybe there needs to be a "void)mutex_unlock(&main_arena.mutex);" first? I am not sure if that would cause other problems.
lsb_release -rd on my system says:
Description: Ubuntu 10.10
Release: 10.10
apt-cache policy libc6 says:
libc6:
Installed: 2.12.1-0ubuntu10.2
Candidate: 2.12.1-0ubuntu10.2
Version table:
*** 2.12.1-0ubuntu10.2 0
500 http://ubuntu-mirror/ubuntu/ maverick-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.12.1-0ubuntu10.1 0
500 http://ubuntu-mirror/ubuntu/ maverick-security/main amd64 Packages
2.12.1-0ubuntu6 0
500 http://ubuntu-mirror/ubuntu/ maverick/main amd64 Packages
uname -a says (hostname scrubbed):
Linux host.domain.com 2.6.35-28-server #50-Ubuntu SMP Fri Mar 18
18:59:25 UTC 2011 x86_64 GNU/Linux
More information about the foundations-bugs
mailing list