From: DJ Delorie <dj@redhat.com>
To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Cc: libc-alpha@sourceware.org, Richard.Earnshaw@arm.com
Subject: Re: [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468]
Date: Thu, 04 Mar 2021 19:15:31 -0500 [thread overview]
Message-ID: <xnsg5av4kc.fsf@rhel8.vm> (raw)
In-Reply-To: <dd545f772bb48cba9ddf98148e81d0a1362a074e.1614874816.git.szabolcs.nagy@arm.com> (message from Szabolcs Nagy on Thu, 4 Mar 2021 16:30:26 +0000)
Szabolcs Nagy <szabolcs.nagy@arm.com> writes:
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index 1f4bbd8edf..10ea6aa441 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3446,7 +3446,9 @@ __libc_realloc (void *oldmem, size_t bytes)
> newp = __libc_malloc (bytes);
> if (newp != NULL)
> {
> - memcpy (newp, oldmem, oldsize - SIZE_SZ);
> + size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
I think this is semantically wrong, because the chunk size
(mptr->mchunk_size) does not include the mchunk_prev_size that's
accounted for in CHUNK_HDR_SZ. I suspect the problem is that
CHUNK_AVAILABLE_SIZE is wrong, in that it adds SIZE_SZ in the non-tagged
case, and shouldn't, or that it's defined (or named) wrong.
chunksize(p) is the difference between this chunk and the corresponding
address in the next chunk. i.e. it's prev_ptr to prev_ptr, or
user-bytes to user-bytes.
A "chunk pointer" does NOT point to the beginning of the chunk, but to
the prev_ptr in the PREVIOUS chunk. So CHUNK_HDR_SZ is the offset from
a chunk pointer to the user data, but it is NOT the difference between
the chunk size and the user data size. Using CHUNK_HDR_SZ in any
user-data-size computations is suspect logic.
That the resulting value happens to be correct is irrelevent here,
although I suspect it will be off by a word when tagging is enabled, and
not memcpy enough data, if the prev_ptr word is still part of the "user
data" when tagging is enabled.
next prev parent reply other threads:[~2021-03-05 0:15 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-04 16:30 [PATCH 00/16] memory tagging improvements Szabolcs Nagy
2021-03-04 16:30 ` [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468] Szabolcs Nagy
2021-03-05 0:15 ` DJ Delorie [this message]
2021-03-05 12:01 ` Szabolcs Nagy
2021-03-05 18:42 ` DJ Delorie
2021-03-05 20:51 ` DJ Delorie
2021-03-04 16:30 ` [PATCH 02/16] Remove PR_TAGGED_ADDR_ENABLE from sys/prctl.h Szabolcs Nagy
2021-03-26 11:29 ` Szabolcs Nagy
2021-04-13 8:37 ` Szabolcs Nagy
2021-04-13 21:32 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 03/16] malloc: Move MTAG_MMAP_FLAGS definition Szabolcs Nagy
2021-03-05 1:07 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 04/16] malloc: Simplify __mtag_tag_new_usable Szabolcs Nagy
2021-03-05 0:20 ` DJ Delorie
2021-03-05 12:24 ` Szabolcs Nagy
2021-03-05 18:52 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 05/16] malloc: Avoid taggig mmaped memory on free Szabolcs Nagy
2021-03-05 1:01 ` DJ Delorie
2021-03-04 16:31 ` [PATCH 06/16] malloc: Ensure the generic mtag hooks are not used Szabolcs Nagy
2021-03-05 1:05 ` DJ Delorie
2021-03-05 12:44 ` Szabolcs Nagy
2021-03-05 20:30 ` DJ Delorie
2021-03-04 16:32 ` [PATCH 07/16] malloc: Refactor TAG_ macros to avoid indirection Szabolcs Nagy
2021-03-05 0:28 ` DJ Delorie
2021-03-04 16:32 ` [PATCH 08/16] malloc: Use global flag instead of function pointer dispatch for mtag Szabolcs Nagy
2021-03-05 0:46 ` DJ Delorie
2021-03-05 12:53 ` Szabolcs Nagy
2021-03-04 16:32 ` [PATCH 09/16] malloc: Only support zeroing and not arbitrary memset with mtag Szabolcs Nagy
2021-03-05 0:49 ` DJ Delorie
2021-03-04 16:33 ` [PATCH 10/16] malloc: Change calloc when tagging is disabled Szabolcs Nagy
2021-03-05 1:06 ` DJ Delorie
2021-03-04 16:33 ` [PATCH 11/16] malloc: Use branches instead of mtag_granule_mask Szabolcs Nagy
2021-03-05 21:00 ` DJ Delorie
2021-03-04 16:33 ` [PATCH 12/16] malloc: Use mtag_enabled instead of USE_MTAG Szabolcs Nagy
2021-03-05 0:56 ` DJ Delorie
2021-03-04 16:34 ` [PATCH 13/16] aarch64: inline __libc_mtag_address_get_tag Szabolcs Nagy
2021-03-04 16:34 ` [PATCH 14/16] aarch64: inline __libc_mtag_new_tag Szabolcs Nagy
2021-03-04 16:34 ` [PATCH 15/16] aarch64: Optimize __libc_mtag_tag_region Szabolcs Nagy
2021-03-04 16:34 ` [PATCH 16/16] aarch64: Optimize __libc_mtag_tag_zero_region Szabolcs Nagy
2021-03-05 11:39 [PATCH 01/16] malloc: Fix a realloc crash with heap tagging [BZ 27468] Wilco Dijkstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xnsg5av4kc.fsf@rhel8.vm \
--to=dj@redhat.com \
--cc=Richard.Earnshaw@arm.com \
--cc=libc-alpha@sourceware.org \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).