Diagnosing Memory Heap Corruption in glibc with MALLOC_CHECK_

  • 3113982
  • 11-Mar-2008
  • 18-Apr-2019

Environment

Novell eDirectory 8.7.3 for Linux
Novell eDirectory 8.8 for Linux
Novell Open Enterprise Server (Linux based)
Novell SUSE Linux Enterprise Server 9
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 11
 

Situation

The GNU C Library (glibc) is the standard C library on Linux Systems. Other C libraries exist and are sometimes used for special purposes (such as very small subsets of the standard C libraries used for embedded systems and bootstrapping), but glibc is the standard C library on all Linux distributions.
 
The glibc includes three simple memory-checking tools. The two, mcheck() and MALLOC_CHECK_, enforce heap data structure consistency checking, and the third, mtrace(), traces memory allocation and deallocation for later processing. When memory is allocated from the heap, the memory management functions need someplace to store information about the allocations. That place is the heap itself; this means that the heap is composed of alternating areas of memory that are used by the program and by the memory management functions themselves. This means that buffer overflows or underruns can actually damage the data structures that the memory management functions use to keep track of what memory has been allocated.
 
When this happens, all bets are off, except that is pretty good bet that the memory management functions will eventually cause the program to crash. If we set the MALLOC_CHECK_ environment variable, a different and somewhat slower set of memory management functions is used.  These functions are more tolerant of errors and can check for calling free() more than once on the same pointer for single-byte buffer overflows.
 
 

Resolution

Setting MALLOC_CHECK_ :


  1. If MALLOC_CHECK_ is set to 0 (zero), the memory management functions are simply most tolerant of errors and do not give warnings.
    • Maybe be useful if we are prevented from finding one memory bug by another that is not convenient to fix at the moment; it might allow us to use other tools to chase down the other memory bug.
    • It may also be useful if you are running code that works on another system but not on Linux.  It can provide a quick workaround that may allow the code to temporarily function, before you have the chance to resolve the error.

  2. If MALLOC_CHECK_ is set to 1 (one), the memory management functions print out warning messages on standard error when problems are noticed.
    • It is useful if we are not aware of any problems and just want to be notified if any problem exist.

  3. If MALLOC_CHECK_ is set to 2 (two), the memory management functions call abort()when problems are noticed.
    • This is most useful from inside the debugger or a shell starting an application or daemon.  It allows a backtrace to be obtained as soon as the memory management functions discover an error, providing information closest to the point at which the error has happened.
    • If a core is caused by a memory corruption, we have more information about memory allocations.  This is better for troubleshooting and determining where/which application overwrote a memory address.

  4. Settings 1 and 2 can be combined by setting MALLOC_CHECK_ to 3 (three).
    This will enable the print out of warning messages on standard error (1), and will call abort() when problems are noticed (2).  

Additional Information

Setting MALLOC_CHECK_ examples:

For ndsd/eDirectory:
  1. Add the following to the /opt/novell/eDirectory/sbin/pre_ndsd_start file:
         export MALLOC_CHECK_=3
    Note: the pre_ndsd_start script/file is usually empty.  If there are other lines in the file, this should go first.

  2. Restart ndsd (/etc/init.d/ndsd restart) to activate.
NOTES:
- SLES 12 and RHEL 7
You must add all the environment variables required for eDirectory service in the env file located in the /etc/opt/novell/eDirectory/conf directory due to systemd requirements.
- This setting should be used for debugging purposes only.
Due to potential performance impact (which could be up to 25% in some cases), it is recommended to comment it out (and restart the process) as soon as the needed core file(s) are obtained.


For namcd:
  1. Add MALLOC_CHECK_=3 to NAMCD script (/etc/init.d/namcd):
    The script will then look similar to:
    ...
    # Template configuration variables

    prefix=/usr
    exec_prefix=/usr
    sbindir=/usr/sbin
    bindir=/usr/bin
    initdir=/etc/init.d

    export MALLOC_CHECK_=3

    userID=`id`
    ...

  2. Restart NAMCD (/etc/init.d/namcd restart) to activate
NOTE: This setting should be used for debugging purposes only.
Due to potential performance impact (which could be up to 25% in some cases), it is recommended to comment it out (and restart the process) as soon as the needed core file(s) are obtained.