malloc.c: changelog

2026-03-04

A changelog for malloc internals to help with heap exploitation.

Version Notes
2.27 todo: _int_malloc bin searching and malloc_consolidate changes
2.28 no notable changes
2.29
  • new check: tcache_entry->key was added to detected double-free in tcache
2.30
  • malloc now checks the tcache bin count instead of checking the entries directly 
    - tcache->entries[tc_idx] != NULL
    + tcache->counts[tc_idx] > 0
  • new check: malloc now validates largbin nextsize fd and bk pointers: 
    assert(fwd->bk_nextsize->fd_nextsize == fwd)
  • new check: malloc now validates largbin bk pointer: 
    if (bck->fd != fwd)
       malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
2.31 no notable changes
2.32
  • safe-linking is introduced
  • new check: tcache_get now checks alignment
  • new check: tcache_thread_shutdown now checks alignment
  • new check: malloc now checks alignment for fastbin chunks
  • new check: free now checks alignment for tcache
  • new check: malloc_consolidate now checks alignment for fastbin
2.36 no notable changes.
2.37 no notable changes.
2.38
  • tcache_get_n is introduced, a generalized version of tcache_get that supports popping from anywhere in the linked list. tcache_get is implemented as 
    tcache_get_n (tc_idx, & tcache->entries[tc_idx]);
  • aligned_alloc() is added (calls _mid_memalign)
  • _mid_memalign can service requests from tcache (the reason tcache_get_n was added)
  • memalign: new strategy for searching (read implementation later)
2.39 _int_free_merge_chunk is introduced
2.40 todo
2.41
  • calloc can now service requests from tcache
  • new check: too many chunks detected in tcache; a new function: tcache_double_free_verify will traverse the linked list and see if the number of items is bigger than max bin size. Runs on a double free detection.
2.42
  • commit: cbfd798 
    This patch changes tcache implementation to allow to cache any chunk
size allocations.  The implementation adds extra bins (linked-lists)
which store chunks with different ranges of allocation sizes. Bin
selection is done in multiples in powers of 2 and chunks are inserted in
growing size ordering within the bin.  The last bin contains all other
sizes of allocations.
This patch although by default preserves the same implementation,
limitting caches to 1KB chunks, it now allows to increase the max size
for the cached chunks with the tunable glibc.malloc.tcache_max.
It also now verifies if chunk was mmapped, in which case __libc_free
will not add it to tcache.
  • tcache: each bin may allow a different maximum number of free blocks
  • tcache: a bin can be disabled by initializing 'num_slots' to zero
  • tcache: tcache_put_n is introduced. Allows inserting in the middle of the linked list, similar to tcache_get_n in 2.38
  • tcache: tcache large bins are sorted in ascending order. The function tcache_location_large is used to traverse the bin each time to find a location to maintain the list order. (This is why tcache_put_n was added)
  • tcache: when the allocator suspects a tcache double-free (via tcache_entry->key) it used to traverse the bin to confirm its suspicion and if it was a false-positive it did nothing, however: it will now zero the ->key (in tcache_double_free_verify)
  • stashing to tcache is done only for small tcache bins, not large.
  • new check: in malloc largin path: 
    if (__glibc_unlikely (fwd->fd->bk_nextsize->fd_nextsize != fwd->fd))
    malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
2.43 todo