Double free

각종 표준에는 이미 해체한 메모리를 다시 해체하려고 할 때 행동을 정의하지 않고 있으나, GLIBC는 깔끔하게 자살해주고 있다. 자살할 때 패턴을 눈에 익혀 놓으면 나중에 왜 죽었지?하는 일이 줄어들 것이다.

#include <stdlib.h>

int
main(int argc, char* argv[])
{
    void* p(malloc(1024));
    free(p);
    free(p);
    return 0;
}

컴파일 및 실행


$ g++ -O2 -g dblfree.cpp -o dblfree



$ ./dblfree

*** glibc detected *** ./dblfree: double free or corruption (top): 0x000000001460a010 ***

======= Backtrace: =========

/lib64/libc.so.6[0x3704671684]

/lib64/libc.so.6(cfree+0x8c)[0x3704674ccc]

./dblfree(__gxx_personality_v0+0x10e)[0x4005de]

/lib64/libc.so.6(__libc_start_main+0xf4)[0x370461d8b4]

./dblfree(__gxx_personality_v0+0x39)[0x400509]

======= Memory map: ========

00400000-00401000 r-xp 00000000 08:07 45776987                           /home/purewell/tmp/dblfree

00600000-00601000 rw-p 00000000 08:07 45776987                           /home/purewell/tmp/dblfree

1460a000-1462b000 rw-p 1460a000 00:00 0

3703600000-370361a000 r-xp 00000000 08:03 4845228                        /lib64/ld-2.5.so

370381a000-370381b000 r--p 0001a000 08:03 4845228                        /lib64/ld-2.5.so

370381b000-370381c000 rw-p 0001b000 08:03 4845228                        /lib64/ld-2.5.so

3704600000-370474a000 r-xp 00000000 08:03 4845229                        /lib64/libc-2.5.so

370474a000-3704949000 ---p 0014a000 08:03 4845229                        /lib64/libc-2.5.so

3704949000-370494d000 r--p 00149000 08:03 4845229                        /lib64/libc-2.5.so

370494d000-370494e000 rw-p 0014d000 08:03 4845229                        /lib64/libc-2.5.so

370494e000-3704953000 rw-p 370494e000 00:00 0

3704a00000-3704a82000 r-xp 00000000 08:03 4845236                        /lib64/libm-2.5.so

3704a82000-3704c81000 ---p 00082000 08:03 4845236                        /lib64/libm-2.5.so

3704c81000-3704c82000 r--p 00081000 08:03 4845236                        /lib64/libm-2.5.so

3704c82000-3704c83000 rw-p 00082000 08:03 4845236                        /lib64/libm-2.5.so

3711400000-371140d000 r-xp 00000000 08:03 4845238                        /lib64/libgcc_s-4.1.2-20080102.so.1

371140d000-371160d000 ---p 0000d000 08:03 4845238                        /lib64/libgcc_s-4.1.2-20080102.so.1

371160d000-371160e000 rw-p 0000d000 08:03 4845238                        /lib64/libgcc_s-4.1.2-20080102.so.1

3712c00000-3712ce6000 r-xp 00000000 08:03 2712938                        /usr/lib64/libstdc++.so.6.0.8

3712ce6000-3712ee5000 ---p 000e6000 08:03 2712938                        /usr/lib64/libstdc++.so.6.0.8

3712ee5000-3712eeb000 r--p 000e5000 08:03 2712938                        /usr/lib64/libstdc++.so.6.0.8

3712eeb000-3712eee000 rw-p 000eb000 08:03 2712938                        /usr/lib64/libstdc++.so.6.0.8

3712eee000-3712f00000 rw-p 3712eee000 00:00 0

2ac6ad10a000-2ac6ad10b000 rw-p 2ac6ad10a000 00:00 0

2ac6ad124000-2ac6ad127000 rw-p 2ac6ad124000 00:00 0

2ac6b0000000-2ac6b0021000 rw-p 2ac6b0000000 00:00 0

2ac6b0021000-2ac6b4000000 ---p 2ac6b0021000 00:00 0

7ffffd98b000-7ffffd9a0000 rw-p 7ffffd98b000 00:00 0                      [stack]

ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]

Aborted (core dumped)



$ gdb -c core.16631 ./dblfree

GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)

Copyright (C) 2006 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1".



Reading symbols from /usr/lib64/libstdc++.so.6...done.

Loaded symbols for /usr/lib64/libstdc++.so.6

Reading symbols from /lib64/libm.so.6...done.

Loaded symbols for /lib64/libm.so.6

Reading symbols from /lib64/libgcc_s.so.1...done.

Loaded symbols for /lib64/libgcc_s.so.1

Reading symbols from /lib64/libc.so.6...done.

Loaded symbols for /lib64/libc.so.6

Reading symbols from /lib64/ld-linux-x86-64.so.2...done.

Loaded symbols for /lib64/ld-linux-x86-64.so.2

Core was generated by `./dblfree'.

Program terminated with signal 6, Aborted.

#0  0x0000003704630155 in raise () from /lib64/libc.so.6

(gdb) bt

#0  0x0000003704630155 in raise () from /lib64/libc.so.6

#1  0x0000003704631bf0 in abort () from /lib64/libc.so.6

#2  0x000000370466a3db in __libc_message () from /lib64/libc.so.6

#3  0x0000003704671684 in _int_free () from /lib64/libc.so.6

#4  0x0000003704674ccc in free () from /lib64/libc.so.6

#5  0x00000000004005de in main (argc=<value optimized out>, argv=<value optimized out>) at dblfree.cpp:8

(gdb)

원본 위치: http://purewell.egloos.com/3868782

Bash Array, Map 정리

Bash에서 Array, Map에 대한 정리. (매번 찾기 귀찮) 찾아보진 않았지만, Bash에서 Array든 Map이든 동일하게 Map(C++에서 Unordered Map)으로 동작하는 것 같다. 왜냐하면, Array의 Index가 연속하지 않아도 동작한다. 그저 Key가 0 이상의 정수인 Map이랑 비슷하게 동작한다. 예) 1, 2, 3, 9, 10 Array # 생성 declare -a empty_array declare -a ar=(haha hoho baba "long string haha hoho") # 접근 echo "ar[0]=${ar[0]}" echo "all as array=${ar[@]}" # 큰따옴표 안에서 각 원소를 따로따로 전달한다. echo "all as one=${ar[*]}" # 큰따옴표 안에서 각 원소를 문자열 하나로 합쳐 전달한다. echo "indexes=${!ar[@]}" echo "indexes=${!ar[*]}" echo "length=${#ar[@]}" echo "length=${#ar[*]}" echo "last=${ar[-1]}" echo "last=${ar[@]: -1}" # 콜론 뒤에 빈 칸이 꼭 필요하다. 옛 방식 # 현재 상황 declare -p ar #(출력) declare -a ar=([0]="haha" [1]="hoho" [2]="baba" [3]="long string haha hoho") ar[100]=hello # 인덱스를 건너 뛰어도 동작한다. declare -p ar #(출력) declare -a ar=([0]="haha" [1]="hoho" [2]="baba" [3]=...

자세한 내용 보기

Purewell.BIZ

이 블로그 검색

Double free

태그

댓글

댓글 쓰기

이 블로그의 인기 게시물

Ubuntu 깔린 노트북에서 뚜껑 닫아도 절전모드로 들어가지 않게 하기

Bash Array, Map 정리

설치한 패키지에서 RPM 추출하기