Bug in chunk allocation
Jason Evans
jasone at canonware.com
Thu Jul 9 21:44:05 PDT 2015
> On Jun 8, 2015, at 2:15 PM, Christopher Ferris <cferris at google.com <mailto:cferris at google.com>> wrote:
>
> Recently, it appears that there was a bug introduced in chunk allocation. The bug is exposed by this small snippet of code:
>
> void* mem = malloc(128*1024*1024);
> printf("mem address %p\n", mem);
> free(mem);
> void* large_alloc = malloc(0x80000081UL);
> printf("large mem %p\n", large_alloc);
> free(large_alloc);
>
> It looks like the bug is in the chunk_recycle code, in this piece of code:
>
> if (new_addr != NULL) {
> extent_node_t key;
> extent_node_init(&key, arena, new_addr, alloc_size, false);
> node = extent_tree_ad_search(chunks_ad, &key);
> } else {
> node = chunk_first_fit(arena, chunks_szad, chunks_ad,
> alloc_size);
> }
> if (node == NULL || (new_addr != NULL && extent_node_size_get(node) <
> size)) {
> malloc_mutex_unlock(&arena->chunks_mtx);
> return (NULL);
> }
>
> The problem is that new_addr == NULL, so the size check is not performed. In my testing, removing the new_addr != NULL check fixes the problem, but I don't know if that's the correct change.
>
> The first allocation after the free shows the problem, if you try and use the whole memory allocation it might segfault, or let you scribble all over someone else's memory.
This was caused by integer overflow in size class computation, and is fixed now:
https://github.com/jemalloc/jemalloc/commit/dde067264db6b801f7ffae9616a35dba5d2d9ad4 <https://github.com/jemalloc/jemalloc/commit/dde067264db6b801f7ffae9616a35dba5d2d9ad4>
Thanks,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jemalloc.net/mailman/jemalloc-discuss/attachments/20150710/cefe2713/attachment.html>
More information about the jemalloc-discuss
mailing list