This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[RFC][PATCH 2/7] malloc: Additional checks for unsorted bin integrity I.
- From: Istvan Kurucsai <pistukem at gmail dot com>
- To: libc-alpha at sourceware dot org
- Cc: Istvan Kurucsai <pistukem at gmail dot com>
- Date: Wed, 31 May 2017 10:43:50 +0200
- Subject: [RFC][PATCH 2/7] malloc: Additional checks for unsorted bin integrity I.
- Authentication-results: sourceware.org; auth=none
- References: <1496220235-12750-1-git-send-email-pistukem@gmail.com>
Ensure the following properties of chunks encountered during binning:
- victim chunk has reasonable size
- next chunk has reasonable size
- next->prev_size == victim->size
- valid double linked list
- PREV_INUSE of next chunk is unset
* malloc/malloc.c (_int_malloc): Additional binning code checks.
---
malloc/malloc.c | 37 ++++++++++++++++++++++++++++++++-----
1 file changed, 32 insertions(+), 5 deletions(-)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 458b57d..34310a2 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3326,6 +3326,7 @@ _int_malloc (mstate av, size_t bytes)
INTERNAL_SIZE_T size; /* its size */
int victim_index; /* its bin index */
+ mchunkptr next; /* next contiguous chunk */
mchunkptr remainder; /* remainder from a split */
unsigned long remainder_size; /* its size */
@@ -3470,12 +3471,38 @@ _int_malloc (mstate av, size_t bytes)
while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av))
{
bck = victim->bk;
- if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0)
- || __builtin_expect (chunksize_nomask (victim)
- > av->system_mem, 0))
- malloc_printerr (check_action, "malloc(): memory corruption",
- chunk2mem (victim), av);
size = chunksize (victim);
+ next = chunk_at_offset (victim, size);
+
+ if (__glibc_unlikely (chunksize_nomask (victim) <= 2 * SIZE_SZ)
+ || __glibc_unlikely (chunksize_nomask (victim) > av->system_mem))
+ {
+ errstr = "malloc(): invalid size (unsorted)";
+ goto errout;
+ }
+ if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ)
+ || __glibc_unlikely (chunksize_nomask (next) > av->system_mem))
+ {
+ errstr = "malloc(): invalid next size (unsorted)";
+ goto errout;
+ }
+ if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size))
+ {
+ errstr = "malloc(): mismatching next->prev_size (unsorted)";
+ goto errout;
+ }
+ if (__glibc_unlikely (bck->fd != victim)
+ || __glibc_unlikely (victim->fd != unsorted_chunks (av)))
+ {
+ errstr = "malloc(): unsorted double linked list corrupted";
+ goto errout;
+ }
+ if (__glibc_unlikely (prev_inuse(next)))
+ {
+ errstr = "malloc(): invalid next->prev_inuse (unsorted)";
+ goto errout;
+ }
+
/*
If a small request, try to use last remainder if it is the
--
2.7.4