Bug#262782: free(valloc()): invalid pointer

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#262782: free(valloc()): invalid pointer
From: Justin Pryzby <justinpryzby@users.sourceforge.net>
Date: Sun, 01 Aug 2004 19:45:04 -0400
Message-id: <[🔎] E1BrQ0m-0005UI-GR@andromeda>
Reply-to: Justin Pryzby <justinpryzby@users.sourceforge.net>, 262782@bugs.debian.org

Package: libc6
Version: 2.3.2.ds1-13
Severity: normal
Tags: security

Please see debian bug 234422 for the discovery.  free(valloc()) is
apparently not valid.

free(3) says:

POSIX requires that memory obtained from posix_memalign() can be freed
using  free().  Some systems provide no way to reclaim memory allocated
with memalign() or valloc() (because one can  only  pass  to free()  a
pointer  gotten  from  malloc(), while e.g.  memalign() would call mal-
loc() and then align the  obtained  value).   GNU  libc  allows memory
obtained  from any of these three routines to be reclaimed with free().

pryzbyj@andromeda:/tmp$ cat valloc.c; gcc valloc.c; MALLOC_CHECK_=1 ./a.out
#include <malloc.h>

int main()
{
	char *c=valloc(1232);
	free(c);

	return 0;
}
malloc: using debugging hooks
free(): invalid pointer 0x804b000!

FWIW, if I free(c-3) there is no problem.

I've security tagged this because it everything links with libc
free(invalid) is "unpredictable", but what if someone went to the
trouble of predicting it?


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (101, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Versions of packages libc6 depends on:
ii  libdb1-compat                 2.1.3-7    The Berkeley database routines [gl

-- no debconf information

Reply to:

Prev by Date: Bug#262646: Patch for this bug
Next by Date: cvs commit to glibc-package/debian by gotom
Previous by thread: Processed: Re: Bug#262646: Patch for this bug
Next by thread: cvs commit to glibc-package/debian by gotom
Index(es):
- Date
- Thread