glibc deadlock on "top chunk is corrupt"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eglibc (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The following program deadlocks when run with MALLOC_CHECK_=3 an argument of 1 (triggering the strcpy)
===
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv)
{
char *p;
p = malloc(20);
if ((argc > 1) && atoi(argv[1])) {
}
free(p);
free(p);
}
==
That is, if you save it as double-free.c and compile it with "gcc -o double-free double-free.c" and then run "MALLOC_CHECK_=3 ./double-free 1", you'll see:
*** glibc detected *** /home/you/
*** glibc detected *** /home/you/
And then it'll just sit there. A backtrace with gdb reveals:
#0 __lll_lock_
at ../nptl/
#1 0x00007ffff7ad7e63 in _L_lock_9561 () from /lib/libc.so.6
#2 0x00007ffff7ad521b in malloc_check (sz=106, caller=<value optimized out>)
at hooks.c:263
#3 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/
#4 0x00007ffff7ad288a in malloc_printerr () at malloc.c:6283
#5 top_check () at hooks.c:222
#6 0x00007ffff7ad5220 in malloc_check (sz=101, caller=<value optimized out>)
at hooks.c:264
#7 0x00007ffff7ac63db in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/
#8 0x00007ffff7ad04b6 in malloc_printerr (action=3,
str=
at malloc.c:6283
#9 0x0000000000400633 in main (argc=2, argv=0x7fffffff
This seems similar to https:/
lsb_release -rd on my system says:
Description: Ubuntu 10.10
Release: 10.10
apt-cache policy libc6 says:
libc6:
Installed: 2.12.1-0ubuntu10.2
Candidate: 2.12.1-0ubuntu10.2
Version table:
*** 2.12.1-0ubuntu10.2 0
500 http://
100 /var/lib/
2.
500 http://
2.
500 http://
uname -a says (hostname scrubbed):
Linux host.domain.com 2.6.35-28-server #50-Ubuntu SMP Fri Mar 18 18:59:25 UTC 2011 x86_64 GNU/Linux