From patchwork Sun Aug  3 20:35:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Samuel Thibault <samuel.thibault@ens-lyon.org>
X-Patchwork-Id: 117536
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id A56A33858D32
	for <patchwork@sourceware.org>; Sun,  3 Aug 2025 20:35:39 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A56A33858D32
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from sonata.ens-lyon.org (domu-toccata.ens-lyon.fr [140.77.166.138])
 by sourceware.org (Postfix) with ESMTPS id A012A3858D1E;
 Sun,  3 Aug 2025 20:35:03 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A012A3858D1E
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=ens-lyon.org
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=bounce.ens-lyon.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A012A3858D1E
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=140.77.166.138
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1754253303; cv=none;
 b=Mr/2et5uK7w6Zv+bI/PbU2m4NCc9+lPuNZgHH3mzBcv1YLGpakry92e6Veg6V0tP0Tw/hiAopclBpdAec3jvVGRUsX0oG3lmWfPVjuVN8Rnm7um1HmcWvoibxjjnEyBjDX1kZi4TBOwm5kB39yZ2dmArk1OupIqlvprteagc7qI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1754253303; c=relaxed/simple;
 bh=ZMavBmNLaxRXg35JmCDUydl3kW/dCOwREaoxBwdSTNw=;
 h=From:To:Subject:Date:Message-ID:MIME-Version;
 b=PojZ2Alh/wEXrk1koAueEZYB1eA9mHd7YBhcD7MSPXGEtelXiFuDeUlneaSRIE2Y6ahMPs+B+Q4bwe4Yj3dlzmz+7hC2nbIZsajNpAHq0sie60RYNde1w1L3uj4Lgez8yNTG+Jv98+KXdYXPTx7h265q0H+fr32VrKmsJcuI9kA=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A012A3858D1E
Received: from localhost (localhost [127.0.0.1])
 by sonata.ens-lyon.org (Postfix) with ESMTP id CE699A0274;
 Sun,  3 Aug 2025 22:35:01 +0200 (CEST)
Received: from sonata.ens-lyon.org ([127.0.0.1])
 by localhost (sonata.ens-lyon.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 4q61nHbWHn9m; Sun,  3 Aug 2025 22:35:01 +0200 (CEST)
Received: from begin (aamiens-653-1-40-48.w83-192.abo.wanadoo.fr
 [83.192.199.48])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by sonata.ens-lyon.org (Postfix) with ESMTPSA id 9D035A022B;
 Sun,  3 Aug 2025 22:35:01 +0200 (CEST)
Received: from samy by begin with local (Exim 4.98.2)
 (envelope-from <samuel.thibault@ens-lyon.org>)
 id 1uifQ4-00000008VUo-46w5; Sun, 03 Aug 2025 22:35:00 +0200
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: libc-alpha@sourceware.org
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>, wilco.dijkstra@arm.com,
 fweimer@redhat.com, adhemerval.zanella@linaro.org, siddhesh@sourceware.org,
 eyalit@checkpoint.com
Subject: [PATCHv2] malloc: Make sure tcache_key is odd enough
Date: Sun,  3 Aug 2025 22:35:00 +0200
Message-ID: <20250803203500.2027687-1-samuel.thibault@ens-lyon.org>
X-Mailer: git-send-email 2.47.2
MIME-Version: 1.0
X-Spam-Status: No, score=-13.1 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, RCVD_IN_VALIDITY_RPBL_BLOCKED,
 RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_PASS, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

We want tcache_key not to be a commonly-occurring value in memory, so ensure
a minimum amount of one and zero bits.

And we need it is non-zero, otherwise even if tcache_double_free_verify sets
e->key to 0 before calling __libc_free, it gets called again by __libc_free,
thus looping indefinitely.

Fixes: c968fe50628db74b52124d863cd828225a1d305c ("malloc: Use tailcalls in __libc_free")
---
 malloc/malloc.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Difference from v1:

- Use stdc_count_ones
- Require only 1/4 zeros and ones
- Require the value to be at least 0x1000000

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 5ca390cc22..ed64e6749f 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -230,6 +230,9 @@
 /* For uintptr_t.  */
 #include <stdint.h>
 
+/* For stdc_count_ones.  */
+#include <stdbit.h>
+
 /* For va_arg, va_start, va_end.  */
 #include <stdarg.h>
 
@@ -3152,6 +3155,18 @@ tcache_key_initialize (void)
   if (__getrandom_nocancel_nostatus_direct (&tcache_key, sizeof(tcache_key),
 					    GRND_NONBLOCK)
       != sizeof (tcache_key))
+    tcache_key = 0;
+
+  /* We need tcache_key to be non-zero (otherwise tcache_double_free_verify's
+   * clearing of e->key would go unnoticed and it would loop getting called
+   * through __libc_free), and we want tcache_key not to be a commonly-occurring
+   * value in memory, so ensure a minimum amount of one and zero bits.  */
+  int minimum_bits = __WORDSIZE / 4;
+  int maximum_bits = __WORDSIZE - minimum_bits;
+
+  while (labs (tcache_key) <= 0x1000000
+      || stdc_count_ones (tcache_key) < minimum_bits
+      || stdc_count_ones (tcache_key) > maximum_bits)
     {
       tcache_key = random_bits ();
 #if __WORDSIZE == 64