Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 27 Dec 2013 17:13:45 -0500
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: Re: NULL deref SEGV in malloc.c:unbin()

On Fri, Dec 27, 2013 at 07:44:23PM +0000, David Wuertele wrote:
> Rich Felker <dalias <at> aerifal.cx> writes:
> > On Fri, Dec 27, 2013 at 06:35:00PM +0000, David Wuertele wrote:
> > > I wonder if anyone has hit this before?   In unbin(), c->next->prev is set,
> > > but c->next is NULL.   It happens repeatedly, and here's what gdb says:
> > 
> > It's almost surely a case of memory corruption by the calling program,
> > most likely using memory after it's already been freed.
> 
> Hmm, my program calls malloc() once and never calls free().

And this crash happens on the very first call to malloc? Or did you
mean it only called it once successfully?

> Oh, I guess it does call free indirectly when it uses closedir() and fclose().
> I will try to use gdb/watch to catch someone red-handed.

It's also possible you write past the end of the buffer obtained by
malloc.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.