This is the mail archive of the libc-hacker@sourceware.org mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Fix calloc with MALLOC_PERTURB_

From: Jakub Jelinek <jakub at redhat dot com>
To: Ulrich Drepper <drepper at redhat dot com>
Cc: Glibc hackers <libc-hacker at sources dot redhat dot com>
Date: Mon, 12 Sep 2005 11:37:08 +0200
Subject: [PATCH] Fix calloc with MALLOC_PERTURB_
Reply-to: Jakub Jelinek <jakub at redhat dot com>

Hi!

malloc_usable_size() is chunksize (p) - 2 * SIZE_SZ for chunk_is_mmapped (p),
not chunksize (p) - SIZE_SZ, but with MALLOC_PERTURB_=X if X != 0 calloc
was clearing SIZE_SZ bytes too much (without MALLOC_PERTURB_ it would just
return right away).  On 32-bit architectures, that is not fatal, as
chunksize is always a multiple of 8 (3 bits used for other stuff), but on
64-bit arches if calloc uses mmap this means usually segfault or clobbering
whatever memory is after it.  On closer inspection, we really need to clear
just sz bytes in that case (and unrolling in that case is not a good idea,
sz is usually quite large), as _int_malloc cleared just sz bytes and
the rest are 0's from mmap, plus apps shouldn't rely on calloc clearing
bytes beyond what it asked for (IMHO nothing says what values will
have bytes at ret+size*nmemb through ret+malloc_usable_bytes (ret)).

2005-09-12  Jakub Jelinek  <jakub@redhat.com>

	* malloc.c (struct malloc_chunk): Fix comment typo.
	(public_cALLOc): For mmapped chunks and perturb_byte != 0,
	don't clear SIZE_SZ bytes more than should be cleared.

--- libc/malloc/malloc.c	20 Mar 2005 18:08:52 -0000	1.148
+++ libc/malloc/malloc.c	12 Sep 2005 09:23:27 -0000
@@ -1726,7 +1726,7 @@ struct malloc_chunk {
       mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             |             User data starts here...                          .
             .                                                               .
-            .             (malloc_usable_space() bytes)                     .
+            .             (malloc_usable_size() bytes)                      .
             .                                                               |
 nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             |             Size of chunk                                     |
@@ -3691,8 +3691,12 @@ public_cALLOc(size_t n, size_t elem_size
 
   /* Two optional cases in which clearing not necessary */
 #if HAVE_MMAP
-  if (perturb_byte == 0 && chunk_is_mmapped(p))
-    return mem;
+  if (chunk_is_mmapped (p))
+    {
+      if (__builtin_expect (perturb_byte, 0))
+	MALLOC_ZERO (mem, sz);
+      return mem;
+    }
 #endif
 
   csz = chunksize(p);

	Jakub

Follow-Ups:
- Re: [PATCH] Fix calloc with MALLOC_PERTURB_
  - From: Ulrich Drepper

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]