Bug#262782: free(valloc()): invalid pointer
Package: libc6
Version: 2.3.2.ds1-13
Severity: normal
Tags: security
Please see debian bug 234422 for the discovery. free(valloc()) is
apparently not valid.
free(3) says:
POSIX requires that memory obtained from posix_memalign() can be freed
using free(). Some systems provide no way to reclaim memory allocated
with memalign() or valloc() (because one can only pass to free() a
pointer gotten from malloc(), while e.g. memalign() would call mal-
loc() and then align the obtained value). GNU libc allows memory
obtained from any of these three routines to be reclaimed with free().
pryzbyj@andromeda:/tmp$ cat valloc.c; gcc valloc.c; MALLOC_CHECK_=1 ./a.out
#include <malloc.h>
int main()
{
char *c=valloc(1232);
free(c);
return 0;
}
malloc: using debugging hooks
free(): invalid pointer 0x804b000!
FWIW, if I free(c-3) there is no problem.
I've security tagged this because it everything links with libc
free(invalid) is "unpredictable", but what if someone went to the
trouble of predicting it?
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (101, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C
Versions of packages libc6 depends on:
ii libdb1-compat 2.1.3-7 The Berkeley database routines [gl
-- no debconf information
Reply to: