From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 42587 invoked by alias); 16 Jan 2018 12:05:06 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 42573 invoked by uid 89); 16 Jan 2018 12:05:05 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.4 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=held X-HELO: mail-wm0-f68.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NAhMcbU7ozQBaaLAwYNSdpw2mkL9KQXByNIS3hP6TLQ=; b=HDeat2byep9TxVct0ykp2M8ZXwxTRf2mXTsH+LhXB5uiy0YgAgy28HwhYawKA+Rb+B stCOzfY4RUxNroBo1XYKkgCyy8For6vPnHMn+1PFDCTXj4USaQSL6gXmePrclu0igRWg ThRaeaUz090ioLazaJa0//iQJG398wiNkMN9eKdp3afdazgaQIEITZ//bHuCwfK31COy VCjbEA/j8srEPHjy4luy3Vo7RnMVrWXDZD6glY9YHpC8Sz/eVgGTE4epeJGZpEmD3Pk0 VETfun5sH8S2rDr/Qmk1USw3+am185XfT+z6kpKWnLhB6pm8PlE7+9LnAElFghLs2pXt G4Jw== X-Gm-Message-State: AKwxytdKUWzzsqVf7oRIywLfnPlfN4CLTeWambPTjqVWCQ8j28DHprbk u9Wk1d0yjwXoXkeKTCdu5v4jRnyLp1qFDlimwi8= X-Google-Smtp-Source: ACJfBosamM1dopckkD4UYEgMGxCh/XzpVAMlStyqnjC/WOKNfaGLfKE3WljXitizaQwyYhCwgQMQKSY/E9cqe4UMfq0= X-Received: by 10.28.225.133 with SMTP id y127mr12252104wmg.55.1516104301374; Tue, 16 Jan 2018 04:05:01 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <5037e896-ae8c-e933-a221-22d9dd713502@redhat.com> References: <1510068430-27816-1-git-send-email-pistukem@gmail.com> <1510068430-27816-2-git-send-email-pistukem@gmail.com> <5037e896-ae8c-e933-a221-22d9dd713502@redhat.com> From: Istvan Kurucsai Date: Tue, 16 Jan 2018 12:05:00 -0000 Message-ID: Subject: Re: [PATCH v2 1/7] malloc: Add check for top size corruption. To: Florian Weimer Cc: libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" X-SW-Source: 2018-01/txt/msg00551.txt.bz2 > Andreas already pointed out style issues. > > I'm somewhat surprised that we have accurate accounting in av->system_mem. > > Furthermore, for non-main arenas, I think the check should be against the > size of a single heap, or maybe the minimum of av->system_mem and that size. I thought about this and believe that we can ensure something more strict: that the end of the top chunk is the same as the end of the arena (contiguous main_arena case) or the heap (mmapped arena case), see below. Tests passed but I'm a bit uncertain if these invariants are always held. Ensure that the end of the top chunk is the same as the end of the arena/heap. * malloc/malloc.c (_int_malloc): Check top size. --- malloc/malloc.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index f5aafd2..fd0f001 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -2251,6 +2251,33 @@ do_check_malloc_state (mstate av) } #endif +static bool +valid_top_chunk (mstate av, mchunkptr top) +{ + size_t size = chunksize(top); + + assert (av); + assert (av->top != initial_top (av)); + + if (av == &main_arena) + { + if ((contiguous (&main_arena) + && __glibc_unlikely ((uintptr_t) top + size + != (uintptr_t) mp_.sbrk_base + av->system_mem)) + || (!contiguous (&main_arena) + && __glibc_unlikely (size > av->system_mem))) + return false; + } + else + { + heap_info *heap = heap_for_ptr (top); + uintptr_t heap_end = (uintptr_t) heap + heap->size; + if (__glibc_unlikely ((uintptr_t) top + size != heap_end)) + return false; + } + + return true; +} /* ----------------- Support for debugging hooks -------------------- */ #include "hooks.c" @@ -4088,6 +4115,8 @@ _int_malloc (mstate av, size_t bytes) if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) { + if (__glibc_unlikely (!valid_top_chunk (av, victim))) + malloc_printerr ("malloc(): corrupted top chunk"); remainder_size = size - nb; remainder = chunk_at_offset (victim, nb); av->top = remainder; -- 2.7.4