> On Jun 8, 2015, at 2:15 PM, Christopher Ferris <[email protected]
> <mailto:[email protected]>> wrote:
>
> Recently, it appears that there was a bug introduced in chunk allocation. The
> bug is exposed by this small snippet of code:
>
> void* mem = malloc(128*1024*1024);
> printf("mem address %p\n", mem);
> free(mem);
> void* large_alloc = malloc(0x80000081UL);
> printf("large mem %p\n", large_alloc);
> free(large_alloc);
>
> It looks like the bug is in the chunk_recycle code, in this piece of code:
>
> if (new_addr != NULL) {
> extent_node_t key;
> extent_node_init(&key, arena, new_addr, alloc_size, false);
> node = extent_tree_ad_search(chunks_ad, &key);
> } else {
> node = chunk_first_fit(arena, chunks_szad, chunks_ad,
> alloc_size);
> }
> if (node == NULL || (new_addr != NULL && extent_node_size_get(node) <
> size)) {
> malloc_mutex_unlock(&arena->chunks_mtx);
> return (NULL);
> }
>
> The problem is that new_addr == NULL, so the size check is not performed. In
> my testing, removing the new_addr != NULL check fixes the problem, but I
> don't know if that's the correct change.
>
> The first allocation after the free shows the problem, if you try and use the
> whole memory allocation it might segfault, or let you scribble all over
> someone else's memory.
This was caused by integer overflow in size class computation, and is fixed now:
https://github.com/jemalloc/jemalloc/commit/dde067264db6b801f7ffae9616a35dba5d2d9ad4
<https://github.com/jemalloc/jemalloc/commit/dde067264db6b801f7ffae9616a35dba5d2d9ad4>
Thanks,
Jason_______________________________________________
jemalloc-discuss mailing list
[email protected]
http://www.canonware.com/mailman/listinfo/jemalloc-discuss
