This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c

From: "larsj at inel dot gov" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 20 Dec 2006 17:07:29 -0000
Subject: [Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c
Reply-to: sourceware-bugzilla at sourceware dot org

Null pointer dereference (problem and fix)

I'm doing some funky hand optimized code in mmap'd regions. I get a NULL pointer
dereference if I call calloc() but not if I call malloc().  The code block in in
arena_get2() arena.c is:

  do {
    if(!mutex_trylock(&a->mutex)) {
      if (retried)
	(void)mutex_unlock(&list_lock);
      THREAD_STAT(++(a->stat_lock_loop));
      tsd_setspecific(arena_key, (Void_t *)a);
      return a;
    }
    a = a->next;
  } while(a != a_tsd);

After a few times around the loop, a is NULL resulting in a NULL pointer
dereference when trying to access a->mutex.  The comment indicates that this
should be a circular list.  I'm not sure why there's a NULL, but a simple check
fixes the problem.  If i call the same code from a shared library, no problem. 
If I do a bunch of malloc() sleep() free() block, It doesn't crash.  If I set
the MALLOC_CHECK_ flag, it doesn't crash.  Overall an interesting bug to track
down.  I manually checked each heap header to verify I'm not smashing any of the
headers.

  do {
>>>>>>>>>>>>>>>>>>>>>>
    if (!a) break;
<<<<<<<<<<<<<<<<<<<<<<
    if(!mutex_trylock(&a->mutex)) {
      if (retried)
	(void)mutex_unlock(&list_lock);
      THREAD_STAT(++(a->stat_lock_loop));
      tsd_setspecific(arena_key, (Void_t *)a);
      return a;
    }
    a = a->next;
  } while(a != a_tsd);

I've verified it on REL4 (can we even call it linux anymore) and gentoo.

Jason

-- 
           Summary: Null pointer dereference in arena_get2() in arena.c
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: larsj at inel dot gov
                CC: glibc-bugs at sources dot redhat dot com
  GCC host triplet: i386-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=3769

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Follow-Ups:
- [Bug libc/3769] Null pointer dereference in arena_get2() in arena.c
  - From: drepper at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]