Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Dec 2013 00:25:20 +0000 (UTC)
From: David Wuertele <>
Subject: Re: NULL deref SEGV in malloc.c:unbin()

Rich Felker <dalias <at>> writes:

> On Fri, Dec 27, 2013 at 07:44:23PM +0000, David Wuertele wrote:
> > Rich Felker <dalias <at>> writes:
> > > On Fri, Dec 27, 2013 at 06:35:00PM +0000, David Wuertele wrote:
> > > > I wonder if anyone has hit this before?   In unbin(),
> > > > c->next->prev is set, but c->next is NULL.   It happens
> > > > repeatedly, and here's what gdb says: 
> > > > 
> > > 
> > > It's almost surely a case of memory corruption by the calling
> > > program, most likely using memory after it's already been
> > > freed. 
> > 
> > Hmm, my program calls malloc() once and never calls free().
> And this crash happens on the very first call to malloc? Or did you
> mean it only called it once successfully?

I only call malloc directly once, and it succeeds.  I use the
allocation only for a circular buffer.  I have an extremely high
confidence that the circular buffer does not write outside of its
memory allocation.

I see that malloc is called many times when I run opendir()/closedir()
and other musl library functions.  It is during one of the closedir()
that I see the SEGV.

The SEGV happens when mal.bins[40] is dereferenced but
mal.bins[40] is NULL.  So I am running my program under gdb
while watching mal.bins[40].head.  I see that nobody except for the
musl lib writes to mal.bins[40], but I have not seen any of those
writes result in a NULL value in *->next.

Now I am watching all memory locations that mal.bins[40].head points
to in its history, but the going is very slow.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.