From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: DJ Delorie <dj@redhat.com>
Cc: libc-alpha@sourceware.org, Richard.Earnshaw@arm.com
Subject: Re: [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468]
Date: Fri, 5 Mar 2021 12:01:34 +0000 [thread overview]
Message-ID: <20210305120133.GQ12795@arm.com> (raw)
In-Reply-To: <xnsg5av4kc.fsf@rhel8.vm>
The 03/04/2021 19:15, DJ Delorie wrote:
> Szabolcs Nagy <szabolcs.nagy@arm.com> writes:
> > diff --git a/malloc/malloc.c b/malloc/malloc.c
> > index 1f4bbd8edf..10ea6aa441 100644
> > --- a/malloc/malloc.c
> > +++ b/malloc/malloc.c
> > @@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
> > newp = __libc_malloc (bytes);
> > if (newp != NULL)
> > {
> > - memcpy (newp, oldmem, oldsize - SIZE_SZ);
>
> > + size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
>
> I think this is semantically wrong, because the chunk size
> (mptr->mchunk_size) does not include the mchunk_prev_size that's
> accounted for in CHUNK_HDR_SZ. I suspect the problem is that
> CHUNK_AVAILABLE_SIZE is wrong, in that it adds SIZE_SZ in the non-tagged
> case, and shouldn't, or that it's defined (or named) wrong.
>
> chunksize(p) is the difference between this chunk and the corresponding
> address in the next chunk. i.e. it's prev_ptr to prev_ptr, or
> user-bytes to user-bytes.
>
> A "chunk pointer" does NOT point to the beginning of the chunk, but to
> the prev_ptr in the PREVIOUS chunk. So CHUNK_HDR_SZ is the offset from
> a chunk pointer to the user data, but it is NOT the difference between
> the chunk size and the user data size. Using CHUNK_HDR_SZ in any
> user-data-size computations is suspect logic.
>
> That the resulting value happens to be correct is irrelevent here,
> although I suspect it will be off by a word when tagging is enabled, and
> not memcpy enough data, if the prev_ptr word is still part of the "user
> data" when tagging is enabled.
it seems CHUNK_AVAILABLE_SIZE is defined as
(memory owned by the user) + CHUNK_HDR_SZ
and it should work on mmaped and normal chunks with or without
tagging. so by this definition i think the change is right, but
the CHUNK_AVAILABLE_SIZE may not have the most useful definition.
i can change this macro to be more meaningful, e.g.:
CHUNK_USER_SIZE(chunk): memory owned by the user in chunk.
i.e. the interval that user code may access in chunk p is
[ chunk2mem(p), chunk2mem(p) + CHUNK_USER_SIZE(p) )
with tagging on aarch64 (granule = 2*size_t) this does not include
the prev_ptr word at the end.
I can refactor the code using this macro, or let me know if you
have a different preference (and if it should be backported with
this bug fix or have it as a follow up change on master).
next prev parent reply other threads:[~2021-03-05 12:01 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-04 16:30 [PATCH 00/16] memory tagging improvements Szabolcs Nagy
2021-03-04 16:30 ` [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468] Szabolcs Nagy
2021-03-05 0:15 ` DJ Delorie
2021-03-05 12:01 ` Szabolcs Nagy [this message]
2021-03-05 18:42 ` DJ Delorie
2021-03-05 20:51 ` DJ Delorie
2021-03-04 16:30 ` [PATCH 02/16] Remove PR_TAGGED_ADDR_ENABLE from sys/prctl.h Szabolcs Nagy
2021-03-26 11:29 ` Szabolcs Nagy
2021-04-13 8:37 ` Szabolcs Nagy
2021-04-13 21:32 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 03/16] malloc: Move MTAG_MMAP_FLAGS definition Szabolcs Nagy
2021-03-05 1:07 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 04/16] malloc: Simplify __mtag_tag_new_usable Szabolcs Nagy
2021-03-05 0:20 ` DJ Delorie
2021-03-05 12:24 ` Szabolcs Nagy
2021-03-05 18:52 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 05/16] malloc: Avoid taggig mmaped memory on free Szabolcs Nagy
2021-03-05 1:01 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 06/16] malloc: Ensure the generic mtag hooks are not used Szabolcs Nagy
2021-03-05 1:05 ` DJ Delorie
2021-03-05 12:44 ` Szabolcs Nagy
2021-03-05 20:30 ` DJ Delorie
2021-03-04 16:32 ` [PATCH 07/16] malloc: Refactor TAG_ macros to avoid indirection Szabolcs Nagy
2021-03-05 0:28 ` DJ Delorie
2021-03-04 16:32 ` [PATCH 08/16] malloc: Use global flag instead of function pointer dispatch for mtag Szabolcs Nagy
2021-03-05 0:46 ` DJ Delorie
2021-03-05 12:53 ` Szabolcs Nagy
2021-03-04 16:32 ` [PATCH 09/16] malloc: Only support zeroing and not arbitrary memset with mtag Szabolcs Nagy
2021-03-05 0:49 ` DJ Delorie
2021-03-04 16:33 ` [PATCH 10/16] malloc: Change calloc when tagging is disabled Szabolcs Nagy
2021-03-05 1:06 ` DJ Delorie
2021-03-04 16:33 ` [PATCH 11/16] malloc: Use branches instead of mtag_granule_mask Szabolcs Nagy
2021-03-05 21:00 ` DJ Delorie
2021-03-04 16:33 ` [PATCH 12/16] malloc: Use mtag_enabled instead of USE_MTAG Szabolcs Nagy
2021-03-05 0:56 ` DJ Delorie
2021-03-04 16:34 ` [PATCH 13/16] aarch64: inline __libc_mtag_address_get_tag Szabolcs Nagy
2021-03-04 16:34 ` [PATCH 14/16] aarch64: inline __libc_mtag_new_tag Szabolcs Nagy
2021-03-04 16:34 ` [PATCH 15/16] aarch64: Optimize __libc_mtag_tag_region Szabolcs Nagy
2021-03-04 16:34 ` [PATCH 16/16] aarch64: Optimize __libc_mtag_tag_zero_region Szabolcs Nagy
2021-03-05 11:39 [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468] Wilco Dijkstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210305120133.GQ12795@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=Richard.Earnshaw@arm.com \
--cc=dj@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).