[Bug 1020210] Re: Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap corruption

Sat, 30 Nov 2013 13:16:16 -0800 

I believe I am seeing this bug in-action on Ubuntu 12.04.3 AMD64.  I
have some gdb backtrace info pasted below.  I am surprised glibc malloc
has been broken for more than 1 year.  I will definitely avoid it in the
future, but it also shows the potential for future instability at the
OS-level:

##t 3 crash SIGSEGV
#0  malloc_consolidate (av=0x7fa89c000020) at malloc.c:4272
#1  0x00007fa8d08ceb89 in malloc_consolidate (av=0x7fa89c000020)
    at malloc.c:4247
#2  _int_free (av=0x7fa89c000020, p=<optimized out>, have_lock=0)
    at malloc.c:4178
#3  0x000000000041a8f8 in __gnu_cxx::new_allocator<unsigned long>::deallocate (
    this=0x7fa89c000ae8, __p=0x7fa89c068bc0)
    at /usr/include/c++/4.6/ext/new_allocator.h:98
#4  0x000000000041a484 in std::_Deque_base<unsigned long, 
std::allocator<unsigned long> >::_M_deallocate_node (this=0x7fa89c000ae8, 
__p=0x7fa89c068bc0)
    at /usr/include/c++/4.6/bits/stl_deque.h:531
##f 0
##p *av
*av = {mutex = 1, flags = 3, fastbinsY = {0x0, 0x7fa89c182920, 0x7fa89c15ed80,
    0x0, 0x7fa89c16b170, 0x7fa89c05aa80, 0x7fa89c185340, 0x0, 0x0, 0x0},
  top = 0x7fa89c18bb30, last_remainder = 0x7fa89c141170, bins = {
    0x7fa89c141170, ...},
  binmap = {262428, 8, 1, 2}, next = 0x7fa8b0000020, next_free = 0x0,
  system_mem = 1634304, max_system_mem = 1634304}
##t 2
#0  sYSMALLOc (av=<optimized out>, nb=528) at malloc.c:2756
#1  _int_malloc (av=<optimized out>, bytes=512) at malloc.c:3924
#2  0x00007fa8d08d1f95 in __GI___libc_malloc (bytes=512) at malloc.c:2924
#3  0x00007fa8d01cfd8b in j__udyLAllocJLL5 () from /usr/lib/libJudy.so.1
#4  0x00007fa8d01cc9ae in ?? () from /usr/lib/libJudy.so.1
#5  0x00007fa8d01ca3ee in ?? () from /usr/lib/libJudy.so.1
#6  0x00007fa8d01ca3ee in ?? () from /usr/lib/libJudy.so.1
#7  0x00007fa8d01ca3ee in ?? () from /usr/lib/libJudy.so.1
#8  0x00007fa8d01cd83f in JudyLIns () from /usr/lib/libJudy.so.1

The malloc.c line numbers look erroneous based on my examination of the
source code from http://packages.ubuntu.com/precise/libc6 .
Unfortunately, that must just be a problem with the libc6-dbg package
data.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1020210

Title:
  Race condition using ATOMIC_FASTBINS in _int_free causes crash or heap
  corruption

To manage notifications about this bug go to:
https://bugs.launchpad.net/eglibc/+bug/1020210/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to