git: 03a7c36ddbc0 - main - __crt_aligned_alloc_offset(): fix ov_index for backing allocation address

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Wed, 06 Sep 2023 19:38:35 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55

commit 03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-09-06 13:50:27 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-09-06 19:38:15 +0000

    __crt_aligned_alloc_offset(): fix ov_index for backing allocation address
    
    Wrong value of ov_index resulted in magic check failure, and refuse to
    free() the memory allocated with __crt_aligned_alloc_offset().
    Then the TLS segments of exited threads leaked.
    
    Reported and tested by: glebius
    Fixes:  c29ee08204ce4106d4992474005c5f2fb7d5fbf1
    Sponsored by:   The FreeBSD Foundation
    MFC after:      3 days
---
 libexec/rtld-elf/rtld_malloc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libexec/rtld-elf/rtld_malloc.c b/libexec/rtld-elf/rtld_malloc.c
index 6e011e88ba5a..4b5140551675 100644
--- a/libexec/rtld-elf/rtld_malloc.c
+++ b/libexec/rtld-elf/rtld_malloc.c
@@ -188,7 +188,7 @@ __crt_aligned_alloc_offset(size_t align, size_t size, size_t offset)
 	x += offset;
 	ov = cp2op((void *)x);
 	ov1.ov_magic = AMAGIC;
-	ov1.ov_index = x - (uintptr_t)mem - sizeof(union overhead);
+	ov1.ov_index = x - (uintptr_t)mem + sizeof(union overhead);
 	memcpy(ov, &ov1, sizeof(ov1));
 	return ((void *)x);
 }