From patchwork Tue Nov 12 09:22:19 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: liusirui <liusirui@huawei.com>
X-Patchwork-Id: 1193387
Return-Path: 
 <libc-alpha-return-106914-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=sourceware.org (client-ip=209.132.180.131;
	helo=sourceware.org;
	envelope-from=libc-alpha-return-106914-incoming=patchwork.ozlabs.org@sourceware.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=huawei.com
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b="NCUEYM5D"; dkim-atps=neutral
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 47C2Mh55wHz9sNH
	for <incoming@patchwork.ozlabs.org>;
	Tue, 12 Nov 2019 20:22:40 +1100 (AEDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id
	:mime-version:content-type; q=dns; s=default; b=icEumAgPD160+Vo8
	oJChl75wPvrMCAfvnEfVrBH1RnIN5l1S9w7wiHTRJcBHa7pY02JKEfMHadcljH2j
	7mpCYpziFRbbmakRqFYshAJI5PyOi0T8pz99aAgBWB7FKd56UZHkkR1uyizgg8au
	4fVvdSEuf6k3zwFHotpI1V8x6IU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id
	:mime-version:content-type; s=default; bh=QDMcEw/y5ycp9dmj8FRXtH
	eYE5w=; b=NCUEYM5DiCYBmBRD3UPLtMe1rfw7eWzRv6NQbFm4Cc4PVyfWPhlu+w
	bSeNU8JnwF5LFWVC+jqkjpV4k1HnS4imh5I6m5hqgZtJOxiYZLrfhglZmjHD/gf+
	yFU6fCuF/kY7LFdAYgEvB/pr334DrRecqEHV8mheu1xOtQ/d+wEUc=
Received: (qmail 24525 invoked by alias); 12 Nov 2019 09:22:20 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 24511 invoked by uid 89); 12 Nov 2019 09:22:20 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-24.6 required=5.0 tests=AWL, BAYES_00,
	GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.1 spammy=1988, H*r:0800
X-HELO: huawei.com
From: Liusirui <liusirui@huawei.com>
To: <libc-alpha@sourceware.org>
CC: <carlos@redhat.com>, <siddhesh@gotplt.org>, <dj@redhat.com>,
	<hushiyuan@huawei.com>, <liqingqing3@huawei.com>
Subject: [PATCH] fix null pointer in mtrace
Date: Tue, 12 Nov 2019 17:22:19 +0800
Message-ID: <1573550539-34259-1-git-send-email-liusirui@huawei.com>
MIME-Version: 1.0

In a multi-threaded program, some threads request or free memory and try to write trace info
into file which "mallstream" points to. At the same time, another thread calls "muntrace" and
set "mallstream" to NULL. This may cause a segmentation fault.

The comment in malloc/mtrace.c says "We could be printing a NULL here; that's OK.". Although
the functions mtrace/muntrace are used for debugging, program isn't expected to crash while using
these functions.
---
 malloc/mtrace.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/malloc/mtrace.c b/malloc/mtrace.c
index 707f998..33f01b4 100644
--- a/malloc/mtrace.c
+++ b/malloc/mtrace.c
@@ -44,6 +44,10 @@
 
 #define TRACE_BUFFER_SIZE 512
 
+#define mtrace_print(file, format, ...) do { \
+if (file != NULL) mtrace_print(file, format,##__VA_ARGS__); \
+} while(0)
+
 static FILE *mallstream;
 static const char mallenv[] = "MALLOC_TRACE";
 static char *malloc_trace_buffer;
@@ -99,12 +103,12 @@ tr_where (const void *caller, Dl_info *info)
                         ")");
             }
 
-          fprintf (mallstream, "@ %s%s%s[%p] ",
+          mtrace_print (mallstream, "@ %s%s%s[%p] ",
                    info->dli_fname ? : "", info->dli_fname ? ":" : "",
                    buf, caller);
         }
       else
-        fprintf (mallstream, "@ [%p] ", caller);
+        mtrace_print (mallstream, "@ [%p] ", caller);
     }
 }
 
@@ -166,7 +170,7 @@ tr_freehook (void *ptr, const void *caller)
   Dl_info *info = lock_and_info (caller, &mem);
   tr_where (caller, info);
   /* Be sure to print it first.  */
-  fprintf (mallstream, "- %p\n", ptr);
+  mtrace_print (mallstream, "- %p\n", ptr);
   if (ptr == mallwatch)
     {
       __libc_lock_unlock (lock);
@@ -198,8 +202,7 @@ tr_mallochook (size_t size, const void *caller)
   set_trace_hooks ();
 
   tr_where (caller, info);
-  /* We could be printing a NULL here; that's OK.  */
-  fprintf (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size);
+  mtrace_print (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size);
 
   __libc_lock_unlock (lock);
 
@@ -232,17 +235,17 @@ tr_reallochook (void *ptr, size_t size, const void *caller)
     {
       if (size != 0)
         /* Failed realloc.  */
-        fprintf (mallstream, "! %p %#lx\n", ptr, (unsigned long int) size);
+        mtrace_print (mallstream, "! %p %#lx\n", ptr, (unsigned long int) size);
       else
-        fprintf (mallstream, "- %p\n", ptr);
+        mtrace_print (mallstream, "- %p\n", ptr);
     }
   else if (ptr == NULL)
-    fprintf (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size);
+    mtrace_print (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size);
   else
     {
-      fprintf (mallstream, "< %p\n", ptr);
+      mtrace_print (mallstream, "< %p\n", ptr);
       tr_where (caller, info);
-      fprintf (mallstream, "> %p %#lx\n", hdr, (unsigned long int) size);
+      mtrace_print (mallstream, "> %p %#lx\n", hdr, (unsigned long int) size);
     }
 
   __libc_lock_unlock (lock);
@@ -270,7 +273,7 @@ tr_memalignhook (size_t alignment, size_t size, const void *caller)
 
   tr_where (caller, info);
   /* We could be printing a NULL here; that's OK.  */
-  fprintf (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size);
+  mtrace_print (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size);
 
   __libc_lock_unlock (lock);
 
@@ -333,7 +336,7 @@ mtrace (void)
           /* Be sure it doesn't malloc its buffer!  */
           malloc_trace_buffer = mtb;
           setvbuf (mallstream, malloc_trace_buffer, _IOFBF, TRACE_BUFFER_SIZE);
-          fprintf (mallstream, "= Start\n");
+          mtrace_print (mallstream, "= Start\n");
 	  save_default_hooks ();
 	  set_trace_hooks ();
 #ifdef _LIBC
@@ -363,6 +366,6 @@ muntrace (void)
   mallstream = NULL;
   set_default_hooks ();
 
-  fprintf (f, "= End\n");
+  mtrace_print (f, "= End\n");
   fclose (f);
 }