From 210f0d0b2bb3ed51a83a675c34f09fc36ac686e1 Mon Sep 17 00:00:00 2001 From: Kevin Svetlitski Date: Thu, 15 Jun 2023 14:47:20 -0700 Subject: [PATCH] Fix read of uninitialized data in `prof_free` In #2433, I inadvertently introduced a regression which causes the use of uninitialized data. Namely, the control path I added for the safety check in `arena_prof_info_get` neglected to set `prof_info->alloc_tctx` when the check fails, resulting in `prof_info.alloc_tctx` being uninitialized [when it is read at the end of `prof_free`](https://github.com/jemalloc/jemalloc/blob/90176f8a87a0b5bdb0ac4c1a515b1d9c58dc5a82/include/jemalloc/internal/prof_inlines.h#L272). --- include/jemalloc/internal/arena_inlines_b.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/jemalloc/internal/arena_inlines_b.h b/include/jemalloc/internal/arena_inlines_b.h index 11b0ce46..bf25a31c 100644 --- a/include/jemalloc/internal/arena_inlines_b.h +++ b/include/jemalloc/internal/arena_inlines_b.h @@ -96,6 +96,7 @@ arena_prof_info_get(tsd_t *tsd, const void *ptr, emap_alloc_ctx_t *alloc_ctx, if (reset_recent && large_dalloc_safety_checks(edata, ptr, edata_szind_get(edata))) { + prof_info->alloc_tctx = (prof_tctx_t *)(uintptr_t)1U; return; } large_prof_info_get(tsd, edata, prof_info, reset_recent);