From: Istvan Kurucsai <pistukem@gmail.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org
Subject: Re: [PATCH v2 1/7] malloc: Add check for top size corruption.
Date: Tue, 16 Jan 2018 12:05:00 -0000 [thread overview]
Message-ID: <CAHJ3J3kY=mF=APb2hoWK4LWUZ6Eo484wPB2T3BfhDySjA95+JQ@mail.gmail.com> (raw)
In-Reply-To: <5037e896-ae8c-e933-a221-22d9dd713502@redhat.com>
> Andreas already pointed out style issues.
>
> I'm somewhat surprised that we have accurate accounting in av->system_mem.
>
> Furthermore, for non-main arenas, I think the check should be against the
> size of a single heap, or maybe the minimum of av->system_mem and that size.
I thought about this and believe that we can ensure something more
strict: that the end of the top chunk is the same as the end of the
arena (contiguous main_arena case) or the heap (mmapped arena case),
see below. Tests passed but I'm a bit uncertain if these invariants
are always held.
Ensure that the end of the top chunk is the same as
the end of the arena/heap.
* malloc/malloc.c (_int_malloc): Check top size.
---
malloc/malloc.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index f5aafd2..fd0f001 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2251,6 +2251,33 @@ do_check_malloc_state (mstate av)
}
#endif
+static bool
+valid_top_chunk (mstate av, mchunkptr top)
+{
+ size_t size = chunksize(top);
+
+ assert (av);
+ assert (av->top != initial_top (av));
+
+ if (av == &main_arena)
+ {
+ if ((contiguous (&main_arena)
+ && __glibc_unlikely ((uintptr_t) top + size
+ != (uintptr_t) mp_.sbrk_base + av->system_mem))
+ || (!contiguous (&main_arena)
+ && __glibc_unlikely (size > av->system_mem)))
+ return false;
+ }
+ else
+ {
+ heap_info *heap = heap_for_ptr (top);
+ uintptr_t heap_end = (uintptr_t) heap + heap->size;
+ if (__glibc_unlikely ((uintptr_t) top + size != heap_end))
+ return false;
+ }
+
+ return true;
+}
/* ----------------- Support for debugging hooks -------------------- */
#include "hooks.c"
@@ -4088,6 +4115,8 @@ _int_malloc (mstate av, size_t bytes)
if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
{
+ if (__glibc_unlikely (!valid_top_chunk (av, victim)))
+ malloc_printerr ("malloc(): corrupted top chunk");
remainder_size = size - nb;
remainder = chunk_at_offset (victim, nb);
av->top = remainder;
--
2.7.4
next prev parent reply other threads:[~2018-01-16 12:05 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 15:27 [PATCH v2 0/7] Additional integrity checks for the malloc Istvan Kurucsai
2017-11-07 15:27 ` [PATCH v2 1/7] malloc: Add check for top size corruption Istvan Kurucsai
2017-11-07 15:53 ` Andreas Schwab
2018-01-11 12:05 ` Florian Weimer
2018-01-16 12:05 ` Istvan Kurucsai [this message]
2018-02-20 13:49 ` Florian Weimer
2018-08-17 14:08 ` Florian Weimer
2017-11-07 15:27 ` [PATCH v2 3/7] malloc: Ensure that the consolidated fast chunk has a sane size Istvan Kurucsai
2018-01-12 14:29 ` Florian Weimer
2017-11-07 15:27 ` [PATCH v2 7/7] malloc: Check the alignment of mmapped chunks before unmapping Istvan Kurucsai
2018-11-15 23:58 ` DJ Delorie
2018-11-16 10:35 ` Florian Weimer
2018-12-21 6:33 ` DJ Delorie
2017-11-07 15:27 ` [PATCH v2 5/7] malloc: Verify the integrity of mmapped chunks in calloc Istvan Kurucsai
2018-08-17 14:15 ` Florian Weimer
2018-11-16 10:33 ` Florian Weimer
2017-11-07 15:27 ` [PATCH v2 6/7] malloc: Add more integrity checks to mremap_chunk Istvan Kurucsai
2018-11-15 23:55 ` DJ Delorie
2018-11-16 10:32 ` Florian Weimer
2018-12-21 6:32 ` DJ Delorie
2017-11-07 15:27 ` [PATCH v2 4/7] malloc: Ensure lower bound on chunk size in __libc_realloc Istvan Kurucsai
2018-08-17 14:12 ` Florian Weimer
2018-08-20 21:20 ` DJ Delorie
2018-08-21 0:07 ` Carlos O'Donell
2018-08-21 0:17 ` DJ Delorie
2018-08-21 0:40 ` Carlos O'Donell
2017-11-07 15:27 ` [PATCH v2 2/7] malloc: Additional checks for unsorted bin integrity I Istvan Kurucsai
2018-01-11 14:50 ` Florian Weimer
2018-01-16 13:54 ` Istvan Kurucsai
2018-08-17 14:07 ` Florian Weimer
2018-08-20 12:59 ` Florian Weimer
2017-11-16 4:18 ` [PATCH v2 0/7] Additional integrity checks for the malloc DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHJ3J3kY=mF=APb2hoWK4LWUZ6Eo484wPB2T3BfhDySjA95+JQ@mail.gmail.com' \
--to=pistukem@gmail.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).