[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190125214929.GE23924@voyager>
Date: Fri, 25 Jan 2019 22:49:29 +0100
From: Markus Wichmann <nullplan@....net>
To: musl@...ts.openwall.com
Subject: Re: Infinite loop in malloc
On Fri, Jan 25, 2019 at 10:13:50AM -0500, r yang wrote:
> Examining the value in gdb:
> (gdb) printf "%X\n", mask
> 204701
>
> The bin head points to the bin itself so this condition is never met:
> c = mal.bins[j].head;
> if (c != BIN_TO_CHUNK(j)) { ... }
>
> Examining the values in gdb:
> (gdb) printf "%X\n", mal.bins[j].head
> 62337FC0
> (gdb) printf "%X\n", (struct chunk *)((char *)(&mal.bins[j].head) - (2*sizeof(size_t)))
> 62337FC0
Wait, isn't that an invalid state? The bins are circular doubly linked
lists; the head points back to itself only when the list is empty. But
the binmap is only set for non-empty bins. At least in the
single-threaded case.
So, if the bit is 1, then it was never deleted. So either arm's
a_and_64() is b0rken, or the last chunk removed from the smallest bin
was invalid, and didn't trigger the a_and_64(). Or does anyone have a
better idea?
Ciao,
Markus
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
