git: 03a7c36ddbc0 - main - __crt_aligned_alloc_offset(): fix ov_index for backing allocation address
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Sep 2023 19:38:35 UTC
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55 commit 03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2023-09-06 13:50:27 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2023-09-06 19:38:15 +0000 __crt_aligned_alloc_offset(): fix ov_index for backing allocation address Wrong value of ov_index resulted in magic check failure, and refuse to free() the memory allocated with __crt_aligned_alloc_offset(). Then the TLS segments of exited threads leaked. Reported and tested by: glebius Fixes: c29ee08204ce4106d4992474005c5f2fb7d5fbf1 Sponsored by: The FreeBSD Foundation MFC after: 3 days --- libexec/rtld-elf/rtld_malloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/rtld-elf/rtld_malloc.c b/libexec/rtld-elf/rtld_malloc.c index 6e011e88ba5a..4b5140551675 100644 --- a/libexec/rtld-elf/rtld_malloc.c +++ b/libexec/rtld-elf/rtld_malloc.c @@ -188,7 +188,7 @@ __crt_aligned_alloc_offset(size_t align, size_t size, size_t offset) x += offset; ov = cp2op((void *)x); ov1.ov_magic = AMAGIC; - ov1.ov_index = x - (uintptr_t)mem - sizeof(union overhead); + ov1.ov_index = x - (uintptr_t)mem + sizeof(union overhead); memcpy(ov, &ov1, sizeof(ov1)); return ((void *)x); }