git: 03a7c36ddbc0 - main - __crt_aligned_alloc_offset(): fix ov_index for backing allocation address
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Sep 2023 19:38:35 UTC
The branch main has been updated by kib:
URL: https://cgit.FreeBSD.org/src/commit/?id=03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55
commit 03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55
Author: Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-09-06 13:50:27 +0000
Commit: Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-09-06 19:38:15 +0000
__crt_aligned_alloc_offset(): fix ov_index for backing allocation address
Wrong value of ov_index resulted in magic check failure, and refuse to
free() the memory allocated with __crt_aligned_alloc_offset().
Then the TLS segments of exited threads leaked.
Reported and tested by: glebius
Fixes: c29ee08204ce4106d4992474005c5f2fb7d5fbf1
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
---
libexec/rtld-elf/rtld_malloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexec/rtld-elf/rtld_malloc.c b/libexec/rtld-elf/rtld_malloc.c
index 6e011e88ba5a..4b5140551675 100644
--- a/libexec/rtld-elf/rtld_malloc.c
+++ b/libexec/rtld-elf/rtld_malloc.c
@@ -188,7 +188,7 @@ __crt_aligned_alloc_offset(size_t align, size_t size, size_t offset)
x += offset;
ov = cp2op((void *)x);
ov1.ov_magic = AMAGIC;
- ov1.ov_index = x - (uintptr_t)mem - sizeof(union overhead);
+ ov1.ov_index = x - (uintptr_t)mem + sizeof(union overhead);
memcpy(ov, &ov1, sizeof(ov1));
return ((void *)x);
}