From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <Szabolcs.Nagy@arm.com>
Received: from EUR03-DB5-obe.outbound.protection.outlook.com
 (mail-eopbgr40075.outbound.protection.outlook.com [40.107.4.75])
 by sourceware.org (Postfix) with ESMTPS id 2C2D53870900
 for <libc-alpha@sourceware.org>; Fri,  5 Mar 2021 12:01:52 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 2C2D53870900
Received: from DU2PR04CA0283.eurprd04.prod.outlook.com (2603:10a6:10:28c::18)
 by AM9PR08MB5890.eurprd08.prod.outlook.com (2603:10a6:20b:281::23)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Fri, 5 Mar
 2021 12:01:50 +0000
Received: from DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:10:28c:cafe::8) by DU2PR04CA0283.outlook.office365.com
 (2603:10a6:10:28c::18) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend
 Transport; Fri, 5 Mar 2021 12:01:50 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
 smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified)
 header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none
 header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
 DB5EUR03FT022.mail.protection.outlook.com (10.152.20.171) with
 Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.3912.17 via Frontend Transport; Fri, 5 Mar 2021 12:01:50 +0000
Received: ("Tessian outbound efd554c08f3f:v71");
 Fri, 05 Mar 2021 12:01:50 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 483e51d99da218c5
X-CR-MTA-TID: 64aa7808
Received: from dce3404ae757.1
 by 64aa7808-outbound-1.mta.getcheckrecipient.com id
 4E343DAF-DB72-4306-9B85-EE73767E71A8.1; 
 Fri, 05 Mar 2021 12:01:45 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com
 by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id dce3404ae757.1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
 Fri, 05 Mar 2021 12:01:45 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Sv+PWQECreb0VJ3A4+6f8KAXXmtEVflh7kSygbnYzzJteKuLwf/RCEXHoF7wiCaCw40jecBTc/hqkgZdPF6EgJSKQW+PasVxYgU2+anYREIQH8zvhIHNTP1duW7oYhOOcG0mzc2NPTH6uVvQwINOk4MzV6yNZrPaxVNq1p6xM6dZDei07jAqaXyUn53jdNGxO6ZtK/ixo/21jd3o8S7FacCfnEAfdPASAEYtHOVPvKpUF6GbrJbu94NXC/oKODnJl/30LNZn/aLys4IkWmiNo67G4rA/A74b+l4nY+E1AvQF8k7tEdoWIIMrQvn4nrO4/p/rSffmqC5XaWRlni3ejw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=WE3k8pIzWvFmfC0UTHPqsnrGpwgavQasakRitc7bO6M=;
 b=Lpbeeb4P5M4UypUFpZf4gHkYx3AqWqidlayT7Wm+k5FYCH/jlvTahddv0ZfdlSOBG2WWUQ2PUbBsPJ7WQCbn8oyEsLdtBhbiE6Dl+zrYMfTxTKE9uYu7yu7R2kTI0TvUAj5ykmmDDhxPP7gKR1ck39IgJAprCE/r78GD7MAOsLeO09Kc+eaGHOeC3RtVrzZWs3SNsoPNXf9LCvND/8Q6UkQOjuxADzF2V+3q97bA4A20deAAwOi6fpvvhjicwfNEfogDlrwj5Icl16YZi8EAFu24py6yA5AUI0BgTnNJtGaArngt6l2Eu6qSDbopU59Gp4ZvKep9bT4+AOgwvB9Hrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass
 header.d=arm.com; arc=none
Authentication-Results-Original: redhat.com; dkim=none (message not signed)
 header.d=none;redhat.com; dmarc=none action=none header.from=arm.com;
Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9)
 by PR3PR08MB5802.eurprd08.prod.outlook.com (2603:10a6:102:8a::6) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Fri, 5 Mar
 2021 12:01:43 +0000
Received: from PA4PR08MB6320.eurprd08.prod.outlook.com
 ([fe80::60f0:3773:69b8:e336]) by PA4PR08MB6320.eurprd08.prod.outlook.com
 ([fe80::60f0:3773:69b8:e336%2]) with mapi id 15.20.3912.021; Fri, 5 Mar 2021
 12:01:43 +0000
Date: Fri, 5 Mar 2021 12:01:34 +0000
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: DJ Delorie <dj@redhat.com>
Cc: libc-alpha@sourceware.org, Richard.Earnshaw@arm.com
Subject: Re: [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ
 27468]
Message-ID: <20210305120133.GQ12795@arm.com>
References: <dd545f772bb48cba9ddf98148e81d0a1362a074e.1614874816.git.szabolcs.nagy@arm.com>
 <xnsg5av4kc.fsf@rhel8.vm>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <xnsg5av4kc.fsf@rhel8.vm>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Originating-IP: [217.140.106.54]
X-ClientProxiedBy: SA9PR13CA0161.namprd13.prod.outlook.com
 (2603:10b6:806:28::16) To PA4PR08MB6320.eurprd08.prod.outlook.com
 (2603:10a6:102:e5::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from arm.com (217.140.106.54) by
 SA9PR13CA0161.namprd13.prod.outlook.com (2603:10b6:806:28::16) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.3912.9 via Frontend Transport; Fri, 5 Mar 2021 12:01:40 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 62751f16-dd64-4ac7-6a4e-08d8dfce75f1
X-MS-TrafficTypeDiagnostic: PR3PR08MB5802:|AM9PR08MB5890:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9PR08MB5890470F0F036DFD0931AD99ED969@AM9PR08MB5890.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
NoDisclaimer: true
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 5SBxcMmBiOyuSKehQFK9lJirsrkkbs6sQqz35c1rLgLwLLTDQDZbkwThxl3FUlFdbba8FR0RzifAJGkix6NqP15xEKc+eH4T/XKP1LAaHaeUSfxqhaWG569Ob+GCjv0rE/U41cKpvIoqdqKH94+G3h4ehQsuGSabnObaUvrglJz8Fcc61oRWj+6UlEDlYFYgT+Evf8vpznG2aFZCFG9WBIEF3G8jEyREShC++qlIIU5Grki92YurydrUMoGzd+8GeJG73AWuFaeA0lEvpT2n3MTfDV1jT5k4jqA7rVW8sZw67N1ibg9XQ2MtNln/jIGZZcEgciCsBJryUOFUNX9XY4F6icLJo7xlnMCIDtxjkWdwumDw5L+4ZRMTyax9I/OPXhQXnSXE1rVRZqcsKFr1KNvnyoJJlcvCqPejoIuQQs6V26TZi3t/yErg+0BwMt245lo3v16NBCuebFsta7TCG5neFmSCWtkWcMKvafhC2rneiAApCjeEA0fvwvbtSfk6BJEk8fJrP9xkA1WjTccpaQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
 SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com;
 PTR:; CAT:NONE;
 SFS:(4636009)(396003)(136003)(366004)(39860400002)(346002)(376002)(2906002)(8676002)(52116002)(55016002)(44832011)(86362001)(7696005)(316002)(8886007)(66476007)(8936002)(186003)(6666004)(4326008)(956004)(5660300002)(6916009)(1076003)(2616005)(33656002)(36756003)(66946007)(478600001)(26005)(16526019)(83380400001)(66556008);
 DIR:OUT; SFP:1101; 
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?dmFzZ1c1Wm9RaTVHTWxaUUlvUmlkcTRhS0pyeWFaQkNCUnpiY3EyakMrRFZ4?=
 =?utf-8?B?ajJScS8wVUs3NlFscW1HWUdmVHVpdkF6UURWMENleEdsSm8wSVBQWGVXM2JM?=
 =?utf-8?B?MEx5U1JndFFoNkJ5c0dpUHhMSzczYjczZzdCY1dzdXhubUZGbi9BcUY3K2xW?=
 =?utf-8?B?VWYwZWxZR2QzMDVocDRBb0tZQlVsTWkvd2F1eDYrbXFLVU9sRmhaNkI2YjFP?=
 =?utf-8?B?UDdTdkVzWW0xZ1oxWUVsbmsyRm9WKzhZRFkvUUlMelo2OHVSSU5UQjVXS1ds?=
 =?utf-8?B?MVBnYVJEdHBOc2tZbG5oMm5HOWY2anBJSWF0eWpkcHExc3RpTGFyMWxtNWc4?=
 =?utf-8?B?bW9oLzludlNQM2Z6U013TEJzZTZOVWMzMDQ4aENXS3JGMllvclgrUW1EbkpV?=
 =?utf-8?B?VjNpTWsySnpHeTF0cHdIak9oODMvWXQvQXQvSzNJNVZ0SmdGYUttL1BQN1JH?=
 =?utf-8?B?YUVtSW1wQjFxeThzMElsdkEwL3d1NEQzY0IrNDBHYmhUeVhwaTZmdmRPMnYw?=
 =?utf-8?B?S0w0V3MyRnFOYndMRDBOQlBZQnFrMTUzM1Q4TGNPZXpZa2xLYjJoMU4yaUdR?=
 =?utf-8?B?Uyt2MWx4VnpURjBWdVU1Z2hKbGIvT3IvbEFzY1dTQ2wzMWNkSVJibFpWY05X?=
 =?utf-8?B?ekFwY1VVSkdxR3VtUlRtbDkreHowREFHZjYwU0pjWlljSTdxaE84ZDE1U0FF?=
 =?utf-8?B?ZUJuOGk3QTdnTmd6Y0grR2dhRmFKZXFqQXo2NGxNeVBib1dVNjllZWRPN2Z2?=
 =?utf-8?B?Unk0Z2tBejdtejRLMUNZUEZZN05SZXpDdVRGclRQZzVoR1FTSnlxK1ZnS09u?=
 =?utf-8?B?K3RPdFpwNVR1L01zRkpzcVBiM1dvdTRGd01TVkFzUXRXNTRHclRPOHoxS0JH?=
 =?utf-8?B?clh1Y0R4SWdpK2dPcVViOU81MHVwdldjQ0o4dWRkbzFMUzFkS1VQMDNJWmtq?=
 =?utf-8?B?cEgzRGkrVGNhQmwwNWxIWGRqaHd0N0xNV0Q2OExuYmZOQnE2L0JIV1FUUTQ3?=
 =?utf-8?B?azFROStVNDU1Sjk5RC9xUzRrME9MbkNhRVMyTGo5R21KdlprNit4cWhBYXg0?=
 =?utf-8?B?TUhTT1NwZnRRM3ljckNUQ3BTQUVkNU1hUCtsR1dlOXF6eUczVUJ2Zy9Jd2ll?=
 =?utf-8?B?amIrQ0ZqMWRyUzJsVzdqVkNRdm9zYmNmMG84YTJhRmtKeStQSlVvZy9yOXM3?=
 =?utf-8?B?Uk5udjJWbXNxVUpjMldlNi9SUXh6Y0U4NGdHL3JzZzhER3lLSXpmeEZDN1dJ?=
 =?utf-8?B?RXhDdXZQVy9adFR5dG1ZOE9JcFM2V2M1Sjk0NFNQTDAxNmlhNGVCZkxHem5X?=
 =?utf-8?B?RHF1eFR0NHRkdkpSeTJuWWVhMGsxRStPOG1OalMvNFlwRUpKSHdMRCt6Rkli?=
 =?utf-8?B?T2ViKzhsUWNaL3ZtVGVBNUZJUm1rTFlqT3JCRTVoSlFSS1Jhb2FkL2EwdExr?=
 =?utf-8?B?R2sxZjQxVlEyWldTSXNsWHVxb3NscTI4Z3hTTExteDQrVkZMQ1g3ZS9naVRj?=
 =?utf-8?B?SmZKQjV6d0RsamJqbDBXRHQ3NWFRdmJKRU96RW51TkxNemRzajdIYTZpNytn?=
 =?utf-8?B?MVhFVEdEenhFRlUydGh4OXVsOWhmdnM0c1ZwREhYeXBmNlFGZGxLU3lOMEZr?=
 =?utf-8?B?RU05aEY1TDlrbHdBK0Q3dklEWVR0QmY3M2c2YnQ2Ujh4aHQwZEl0SWU3NDEx?=
 =?utf-8?B?MUh2TEZ4TGtEejVMMU41dmlSN0NkVFlCRUNnQWRkSUZNQ1lkclowWTZhK05a?=
 =?utf-8?Q?WbVQHkJ/dJwVpakDEMdNBRBIrRd2ksdYEDceXiV?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5802
Original-Authentication-Results: redhat.com; dkim=none (message not signed)
 header.d=none;redhat.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: f891aa45-a530-4c96-ee50-08d8dfce7040
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IbSqTVFQUgNE3c9Iot46MIfjtswBX8LAyRh2IXG5fwNliPCv9OwnMAqFZhIT9H3UBfW3cGzSsV0Zs7TgSm9RSFZX8/gLpp5Fkqi8SpsP4ZDwZtuPU2hmeum9LVIAQK3M8Ck2ogb9axNh/lfqHBrQwBFGKx3cIXTRZ9MfJO+f1EwPwfLTcQEE1MuC3F0kl4/GYniVxrMCTg8qXYGFoxREdNfkUanOOAOm683LvnFR0i13HvacGMXMb1W4TI8TArwQIRCPxsL51amIpNuuHfd/t+OMSaeQ+kofUggMLdnIfgmth1sfp4GUg6qRc5VVMZM7mNgwPw8gpNJxOggfG+PTNrokiTSnhPmHGxzg51QmNF1KCd4T1/hEJHyQpjgJf6QPxWNiXTYH55TqEOo3WYXpbqIjIftQ34CE9WoVrc2fSSIHDm6uGd3hYcz37T0LRvIq8wCLelUVyKSCeOVUskyi2OeXWT5dJxdLG0EcAkQowipC9o8wo3WbIls24d3iWDqsMeduAiPX1UBh9ti/MqeRiEqOWxMnoceezYGM+fzCp+N2xtCacLmYOr2mRiKrZdQMmFreDdh7Rl1Zu8aiLnvczR4DFrkYab18UlDUJKNzvGz08gD1HVcmfcYRj8VfQf3AbqMNfa1mVOfp2wG39hEiDbUpYvwytxGvlIu51zVFc7g=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com;
 PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE;
 SFS:(4636009)(376002)(346002)(39860400002)(136003)(396003)(36840700001)(46966006)(2906002)(86362001)(47076005)(6666004)(26005)(6862004)(70586007)(956004)(33656002)(82740400003)(16526019)(36860700001)(82310400003)(2616005)(8676002)(36756003)(336012)(186003)(83380400001)(5660300002)(70206006)(478600001)(81166007)(55016002)(316002)(4326008)(8936002)(7696005)(356005)(44832011)(8886007)(1076003);
 DIR:OUT; SFP:1101; 
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2021 12:01:50.7857 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 62751f16-dd64-4ac7-6a4e-08d8dfce75f1
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123];
 Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR08MB5890
X-Spam-Status: No, score=-14.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, GIT_PATCH_0, MSGID_FROM_MTA_HEADER, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP,
 UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 12:01:54 -0000

The 03/04/2021 19:15, DJ Delorie wrote:
> Szabolcs Nagy <szabolcs.nagy@arm.com> writes:
> > diff --git a/malloc/malloc.c b/malloc/malloc.c
> > index 1f4bbd8edf..10ea6aa441 100644
> > --- a/malloc/malloc.c
> > +++ b/malloc/malloc.c
> > @@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
> >        newp = __libc_malloc (bytes);
> >        if (newp != NULL)
> >          {
> > -          memcpy (newp, oldmem, oldsize - SIZE_SZ);
> 
> > +	  size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
> 
> I think this is semantically wrong, because the chunk size
> (mptr->mchunk_size) does not include the mchunk_prev_size that's
> accounted for in CHUNK_HDR_SZ.  I suspect the problem is that
> CHUNK_AVAILABLE_SIZE is wrong, in that it adds SIZE_SZ in the non-tagged
> case, and shouldn't, or that it's defined (or named) wrong.
> 
> chunksize(p) is the difference between this chunk and the corresponding
> address in the next chunk.  i.e. it's prev_ptr to prev_ptr, or
> user-bytes to user-bytes.
> 
> A "chunk pointer" does NOT point to the beginning of the chunk, but to
> the prev_ptr in the PREVIOUS chunk.  So CHUNK_HDR_SZ is the offset from
> a chunk pointer to the user data, but it is NOT the difference between
> the chunk size and the user data size.  Using CHUNK_HDR_SZ in any
> user-data-size computations is suspect logic.
> 
> That the resulting value happens to be correct is irrelevent here,
> although I suspect it will be off by a word when tagging is enabled, and
> not memcpy enough data, if the prev_ptr word is still part of the "user
> data" when tagging is enabled.

it seems CHUNK_AVAILABLE_SIZE is defined as

  (memory owned by the user) + CHUNK_HDR_SZ

and it should work on mmaped and normal chunks with or without
tagging. so by this definition i think the change is right, but
the CHUNK_AVAILABLE_SIZE may not have the most useful definition.
i can change this macro to be more meaningful, e.g.:

  CHUNK_USER_SIZE(chunk):  memory owned by the user in chunk.

i.e. the interval that user code may access in chunk p is

  [ chunk2mem(p), chunk2mem(p) + CHUNK_USER_SIZE(p) )

with tagging on aarch64 (granule = 2*size_t) this does not include
the prev_ptr word at the end.

I can refactor the code using this macro, or let me know if you
have a different preference (and if it should be backported with
this bug fix or have it as a follow up change on master).