From 03a7c36ddbc0ddb1063d2c8a37c64d83e1519c55 Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Wed, 6 Sep 2023 16:50:27 +0300 Subject: [PATCH] __crt_aligned_alloc_offset(): fix ov_index for backing allocation address Wrong value of ov_index resulted in magic check failure, and refuse to free() the memory allocated with __crt_aligned_alloc_offset(). Then the TLS segments of exited threads leaked. Reported and tested by: glebius Fixes: c29ee08204ce4106d4992474005c5f2fb7d5fbf1 Sponsored by: The FreeBSD Foundation MFC after: 3 days --- libexec/rtld-elf/rtld_malloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/rtld-elf/rtld_malloc.c b/libexec/rtld-elf/rtld_malloc.c index 6e011e88ba5a..4b5140551675 100644 --- a/libexec/rtld-elf/rtld_malloc.c +++ b/libexec/rtld-elf/rtld_malloc.c @@ -188,7 +188,7 @@ __crt_aligned_alloc_offset(size_t align, size_t size, size_t offset) x += offset; ov = cp2op((void *)x); ov1.ov_magic = AMAGIC; - ov1.ov_index = x - (uintptr_t)mem - sizeof(union overhead); + ov1.ov_index = x - (uintptr_t)mem + sizeof(union overhead); memcpy(ov, &ov1, sizeof(ov1)); return ((void *)x); }