This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v2 1/7] malloc: Add check for top size corruption.
- From: Istvan Kurucsai <pistukem at gmail dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Tue, 16 Jan 2018 13:05:00 +0100
- Subject: Re: [PATCH v2 1/7] malloc: Add check for top size corruption.
- Authentication-results: sourceware.org; auth=none
- References: <1510068430-27816-1-git-send-email-pistukem@gmail.com> <1510068430-27816-2-git-send-email-pistukem@gmail.com> <5037e896-ae8c-e933-a221-22d9dd713502@redhat.com>
> Andreas already pointed out style issues.
>
> I'm somewhat surprised that we have accurate accounting in av->system_mem.
>
> Furthermore, for non-main arenas, I think the check should be against the
> size of a single heap, or maybe the minimum of av->system_mem and that size.
I thought about this and believe that we can ensure something more
strict: that the end of the top chunk is the same as the end of the
arena (contiguous main_arena case) or the heap (mmapped arena case),
see below. Tests passed but I'm a bit uncertain if these invariants
are always held.
Ensure that the end of the top chunk is the same as
the end of the arena/heap.
* malloc/malloc.c (_int_malloc): Check top size.
---
malloc/malloc.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index f5aafd2..fd0f001 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2251,6 +2251,33 @@ do_check_malloc_state (mstate av)
}
#endif
+static bool
+valid_top_chunk (mstate av, mchunkptr top)
+{
+ size_t size = chunksize(top);
+
+ assert (av);
+ assert (av->top != initial_top (av));
+
+ if (av == &main_arena)
+ {
+ if ((contiguous (&main_arena)
+ && __glibc_unlikely ((uintptr_t) top + size
+ != (uintptr_t) mp_.sbrk_base + av->system_mem))
+ || (!contiguous (&main_arena)
+ && __glibc_unlikely (size > av->system_mem)))
+ return false;
+ }
+ else
+ {
+ heap_info *heap = heap_for_ptr (top);
+ uintptr_t heap_end = (uintptr_t) heap + heap->size;
+ if (__glibc_unlikely ((uintptr_t) top + size != heap_end))
+ return false;
+ }
+
+ return true;
+}
/* ----------------- Support for debugging hooks -------------------- */
#include "hooks.c"
@@ -4088,6 +4115,8 @@ _int_malloc (mstate av, size_t bytes)
if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
{
+ if (__glibc_unlikely (!valid_top_chunk (av, victim)))
+ malloc_printerr ("malloc(): corrupted top chunk");
remainder_size = size - nb;
remainder = chunk_at_offset (victim, nb);
av->top = remainder;
--
2.7.4