Ubuntu
eglibc package

glibc deadlock on "top chunk is corrupt"

Bug #794605 reported by David Sklar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
New
Undecided
Unassigned

Bug Description

The following program deadlocks when run with MALLOC_CHECK_=3 an argument of 1 (triggering the strcpy)

===
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv)
{
    char *p;

    p = malloc(20);
    if ((argc > 1) && atoi(argv[1])) {
         strcpy(p,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
    }
    free(p);
    free(p);

}
==

That is, if you save it as double-free.c and compile it with "gcc -o double-free double-free.c" and then run "MALLOC_CHECK_=3 ./double-free 1", you'll see:

*** glibc detected *** /home/you/double-free: free(): invalid pointer: 0x0000000000602010 ***
*** glibc detected *** /home/you/double-free: malloc: top chunk is corrupt: 0x0000000000602020 ***

And then it'll just sit there. A backtrace with gdb reveals:

#0 __lll_lock_wait_private ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:97
#1 0x00007ffff7ad7e63 in _L_lock_9561 () from /lib/libc.so.6
#2 0x00007ffff7ad521b in malloc_check (sz=106, caller=<value optimized out>)
    at hooks.c:263
#3 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:138
#4 0x00007ffff7ad288a in malloc_printerr () at malloc.c:6283
#5 top_check () at hooks.c:222
#6 0x00007ffff7ad5220 in malloc_check (sz=101, caller=<value optimized out>)
    at hooks.c:264
#7 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
    fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:138
#8 0x00007ffff7ad04b6 in malloc_printerr (action=3,
    str=0x7ffff7ba0e33 "free(): invalid pointer", ptr=<value optimized out>)
    at malloc.c:6283
#9 0x0000000000400633 in main (argc=2, argv=0x7fffffffec38) at double-free.c:14

This seems similar to https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/425723 in that re-entrant behavior in malloc diagnostics is trying to re-aquire a mutex that's already been acquired. In malloc/hooks.c, when top_check() calls malloc_printerr() at line 222, maybe there needs to be a "void)mutex_unlock(&main_arena.mutex);" first? I am not sure if that would cause other problems.

lsb_release -rd on my system says:
Description: Ubuntu 10.10
Release: 10.10

apt-cache policy libc6 says:
libc6:
  Installed: 2.12.1-0ubuntu10.2
  Candidate: 2.12.1-0ubuntu10.2
  Version table:
 *** 2.12.1-0ubuntu10.2 0
        500 http://ubuntu-mirror/ubuntu/ maverick-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.12.1-0ubuntu10.1 0
        500 http://ubuntu-mirror/ubuntu/ maverick-security/main amd64 Packages
     2.12.1-0ubuntu6 0
        500 http://ubuntu-mirror/ubuntu/ maverick/main amd64 Packages

uname -a says (hostname scrubbed):

Linux host.domain.com 2.6.35-28-server #50-Ubuntu SMP Fri Mar 18 18:59:25 UTC 2011 x86_64 GNU/Linux

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.