diff --git a/glibc.spec b/glibc.spec index ffeb760ef673fa8f38ea22970d68430de3103d82..c6857614738b1a18c0ff43fdc4279ef93d058b2e 100644 --- a/glibc.spec +++ b/glibc.spec @@ -62,7 +62,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 117 +Release: 118 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -185,6 +185,7 @@ Patch98: use_uintptr_t_for_address_diagnostic.patch Patch99: fix-global_max_fast-based-on-MIN_CHUNK_SIZE.patch Patch100: malloc_remove_unwanted_leading_whitespace_in_malloc_info.patch Patch101: malloc-Add-more-integrity-checks-to-mremap_chunk.patch +Patch102: malloc-Fix-tcache-count-maximum.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1304,6 +1305,9 @@ fi %endif %changelog +* Sat Oct 25 2025 panzhe - 2.28-118 +- malloc: Fix tcache count maximum + * Thu Oct 23 2025 panzhe - 2.28-117 - malloc: Add more integrity checks to mremap_chunk diff --git a/malloc-Fix-tcache-count-maximum.patch b/malloc-Fix-tcache-count-maximum.patch new file mode 100644 index 0000000000000000000000000000000000000000..5cbce421a4d85ad0a164191ee75e74bc7e225a7d --- /dev/null +++ b/malloc-Fix-tcache-count-maximum.patch @@ -0,0 +1,64 @@ +From 5ad533e8e65092be962e414e0417112c65d154fb Mon Sep 17 00:00:00 2001 +From: Wilco Dijkstra +Date: Fri, 10 May 2019 16:38:21 +0100 +Subject: [PATCH] Fix tcache count maximum (BZ #24531) + +The tcache counts[] array is a char, which has a very small range and thus +may overflow. When setting tcache_count tunable, there is no overflow check. +However the tunable must not be larger than the maximum value of the tcache +counts[] array, otherwise it can overflow when filling the tcache. + + [BZ #24531] + * malloc/malloc.c (MAX_TCACHE_COUNT): New define. + (do_set_tcache_count): Only update if count is small enough. + * manual/tunables.texi (glibc.malloc.tcache_count): Document max value. +--- + malloc/malloc.c | 9 +++++++-- + manual/tunables.texi | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index bf3e8ea4..2479b824 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -2923,6 +2923,8 @@ typedef struct tcache_perthread_struct + tcache_entry *entries[TCACHE_MAX_BINS]; + } tcache_perthread_struct; + ++#define MAX_TCACHE_COUNT 127 /* Maximum value of counts[] entries. */ ++ + static __thread bool tcache_shutting_down = false; + static __thread tcache_perthread_struct *tcache = NULL; + +@@ -5164,8 +5166,11 @@ static inline int + __always_inline + do_set_tcache_count (size_t value) + { +- LIBC_PROBE (memory_tunable_tcache_count, 2, value, mp_.tcache_count); +- mp_.tcache_count = value; ++ if (value <= MAX_TCACHE_COUNT) ++ { ++ LIBC_PROBE (memory_tunable_tcache_count, 2, value, mp_.tcache_count); ++ mp_.tcache_count = value; ++ } + return 1; + } + +diff --git a/manual/tunables.texi b/manual/tunables.texi +index 79347bf3..9d74dff1 100644 +--- a/manual/tunables.texi ++++ b/manual/tunables.texi +@@ -188,8 +188,8 @@ per-thread cache. The default (and maximum) value is 1032 bytes on + + @deftp Tunable glibc.malloc.tcache_count + The maximum number of chunks of each size to cache. The default is 7. +-There is no upper limit, other than available system memory. If set +-to zero, the per-thread cache is effectively disabled. ++The upper limit is 127. If set to zero, the per-thread cache is effectively ++disabled. + + The approximate maximum overhead of the per-thread cache is thus equal + to the number of bins times the chunk count in each bin times the size +-- +2.33.0 +