This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c
- From: "larsj at inel dot gov" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 20 Dec 2006 17:07:29 -0000
- Subject: [Bug libc/3769] New: Null pointer dereference in arena_get2() in arena.c
- Reply-to: sourceware-bugzilla at sourceware dot org
Null pointer dereference (problem and fix)
I'm doing some funky hand optimized code in mmap'd regions. I get a NULL pointer
dereference if I call calloc() but not if I call malloc(). The code block in in
arena_get2() arena.c is:
do {
if(!mutex_trylock(&a->mutex)) {
if (retried)
(void)mutex_unlock(&list_lock);
THREAD_STAT(++(a->stat_lock_loop));
tsd_setspecific(arena_key, (Void_t *)a);
return a;
}
a = a->next;
} while(a != a_tsd);
After a few times around the loop, a is NULL resulting in a NULL pointer
dereference when trying to access a->mutex. The comment indicates that this
should be a circular list. I'm not sure why there's a NULL, but a simple check
fixes the problem. If i call the same code from a shared library, no problem.
If I do a bunch of malloc() sleep() free() block, It doesn't crash. If I set
the MALLOC_CHECK_ flag, it doesn't crash. Overall an interesting bug to track
down. I manually checked each heap header to verify I'm not smashing any of the
headers.
do {
>>>>>>>>>>>>>>>>>>>>>>
if (!a) break;
<<<<<<<<<<<<<<<<<<<<<<
if(!mutex_trylock(&a->mutex)) {
if (retried)
(void)mutex_unlock(&list_lock);
THREAD_STAT(++(a->stat_lock_loop));
tsd_setspecific(arena_key, (Void_t *)a);
return a;
}
a = a->next;
} while(a != a_tsd);
I've verified it on REL4 (can we even call it linux anymore) and gentoo.
Jason
--
Summary: Null pointer dereference in arena_get2() in arena.c
Product: glibc
Version: 2.4
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: larsj at inel dot gov
CC: glibc-bugs at sources dot redhat dot com
GCC host triplet: i386-linux-gnu
http://sourceware.org/bugzilla/show_bug.cgi?id=3769
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.