Date: Sat, 28 Dec 2013 00:25:20 +0000 (UTC) From: David Wuertele <dave+gmane@...rtele.com> To: musl@...ts.openwall.com Subject: Re: NULL deref SEGV in malloc.c:unbin() Rich Felker <dalias <at> aerifal.cx> writes: > > On Fri, Dec 27, 2013 at 07:44:23PM +0000, David Wuertele wrote: > > Rich Felker <dalias <at> aerifal.cx> writes: > > > On Fri, Dec 27, 2013 at 06:35:00PM +0000, David Wuertele wrote: > > > > I wonder if anyone has hit this before? In unbin(), > > > > c->next->prev is set, but c->next is NULL. It happens > > > > repeatedly, and here's what gdb says: > > > > > > > > > > It's almost surely a case of memory corruption by the calling > > > program, most likely using memory after it's already been > > > freed. > > > > Hmm, my program calls malloc() once and never calls free(). > > And this crash happens on the very first call to malloc? Or did you > mean it only called it once successfully? > I only call malloc directly once, and it succeeds. I use the allocation only for a circular buffer. I have an extremely high confidence that the circular buffer does not write outside of its memory allocation. I see that malloc is called many times when I run opendir()/closedir() and other musl library functions. It is during one of the closedir() that I see the SEGV. The SEGV happens when mal.bins.head.next is dereferenced but mal.bins.head.next is NULL. So I am running my program under gdb while watching mal.bins.head. I see that nobody except for the musl lib writes to mal.bins, but I have not seen any of those writes result in a NULL value in *->next. Now I am watching all memory locations that mal.bins.head points to in its history, but the going is very slow. Dave
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.