From patchwork Fri Jul 18 07:48:01 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: just4you <just4you_jongun@protonmail.com>
X-Patchwork-Id: 116533
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 80B65385ED4F
	for <patchwork@sourceware.org>; Fri, 18 Jul 2025 07:48:43 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 80B65385ED4F
Authentication-Results: sourceware.org;
	dkim=fail reason="signature verification failed" (2048-bit key,
 secure) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256
 header.s=protonmail3 header.b=lYaAlqKb
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-106102.protonmail.ch (mail-106102.protonmail.ch
 [79.135.106.102])
 by sourceware.org (Postfix) with ESMTPS id C0DE13858C60
 for <libc-alpha@sourceware.org>; Fri, 18 Jul 2025 07:48:06 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C0DE13858C60
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=protonmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=protonmail.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C0DE13858C60
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=79.135.106.102
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1752824886; cv=none;
 b=Beqp3w7ERCk5eoJzjXG8YdCwISPMmbO8c0qdOGohXKaqZXMjhoGN9wJFcyuD6jyzCtRKZYwsNnwM4FiRWfWiUGMVPobsaAWtzvtnojNCdtM/NM83WQCoL+NyWRLGnlWRip/3ZtftSU497k0+bT1qBVAeSswJTG+bRHA56L46qOA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1752824886; c=relaxed/simple;
 bh=Id6kGu29tXNjOV87NHfGBvbW4cahRXS7Tcidt8d6VMs=;
 h=DKIM-Signature:Date:To:From:Subject:Message-ID:MIME-Version;
 b=etLbv+vF8gKOB2nqRAY9L0BPVAYibiEBGRLDS+F416k1ytuyn/1tDwXaa4IRddix/093C2NsPL+m/uOJ4rLcRosmB2/IkSZI2bRUMVqeKCiGnbQk5t+VlT3HccZCGIZjXO7N7JKAWDXpJQ5Z1dU8mDK55uhocj/Yq0Bn9C00OK4=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C0DE13858C60
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1752824884; x=1753084084;
 bh=Id6kGu29tXNjOV87NHfGBvbW4cahRXS7Tcidt8d6VMs=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=lYaAlqKbgIJM5ENg6lGw2wQ7grClwaSv2ZTqsw/mJH9541VYqnnUiXL1g3dbjhEFM
 fnT5Ixt2RH0gCtoeMTspnfHt8wy1/xrJjDXa2HoOXu7uZexHT1qmZwBHfSy2DQgBea
 mESxO2HVmy9K3ndyOdWruCBa3sYK02ycmUZQNvY/xJduFyY+g4BGBknSvVBmo/fP6/
 ARHY5ZFDoWKRCH+tZsRf/IKS/ZQwr4fqiN1FcZkJVJrKm2RpWJuDOPY5D9V6w1VcDo
 FtLbtrjN6i2FLTuFcP7JUSYjAT4RpzHhKk0xnxKYbM4NjUKdx6ZkjKGcI52tIVWjIJ
 p/7GwjpUSIv2g==
Date: Fri, 18 Jul 2025 07:48:01 +0000
To: "libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
From: just4you <just4you_jongun@protonmail.com>
Subject: [PATCH] malloc: Add tcache list length integrity check
Message-ID: 
 <T5iZ2B8c6zzXKPl-yiWqJN0FghZHpl9O_eO-PeMC8V4iTTDviqRjbMcDg5qiiFOrFEoddkiWuFNeoPooLyb1fGMjTA9J6pLg93sJyG9hR_8=@protonmail.com>
Feedback-ID: 144223266:user:proton
X-Pm-Message-ID: 87419fd40378056cc29f624696cc1117bcc69fd3
MIME-Version: 1.0
X-Spam-Status: No, score=-12.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,
 RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_PASS,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

Signed-off-by: cyzq <fuchienfriedriceclub.hypnotist715@passinbox.com>---
 malloc/malloc.c | 2 ++
 1 file changed, 2 insertions(+)
---
2.43.0

The above is my patch. I am a novice hacker. When I was learning tcache attacks, I noticed that the check in tcache_double_free_verify was not perfect. I wondered why the above check was not added, and I thought that adding the above check would not cause a big performance loss, so I submitted a patch to glibc. Of course, if you think the above check should not be added, if possible, I hope you can tell me the reason, because I want to know more about the glibc code.

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 5ca390cc22..205a54aa55 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3329,6 +3329,8 @@ tcache_double_free_verify (tcache_entry *e)
    {
      if (cnt >= mp_.tcache_count)
        malloc_printerr ("free(): too many chunks detected in tcache");
+     if (cnt > tcache->counts[tc_idx])
+        malloc_printerr ("free(): tcache count mismatch");
      if (__glibc_unlikely (misaligned_mem (tmp)))
        malloc_printerr ("free(): unaligned chunk detected in tcache 2");
      if (tmp == e)