Backport a malloc fix from Doug Lea's version
Jeff Johnston
jjohnstn@redhat.com
Mon May 31 19:37:00 GMT 2010
Patch applied. Thanks.
-- Jeff J.
On 05/30/2010 10:22 PM, Kazu Hirata wrote:
> Hi,
>
> Attached is a patch to backport a malloc fix from Doug Lea's version
> 2.6.5.
>
> Without this patch, free() could cause a dereference of an invalid
> address, resulting in a hard fault under some circumstances.
>
> To avoid confusion, Jeff Johnston committed a patch in this area,
> namely:
>
> 2006-12-18 Jeff Johnston<jjohnstn@redhat.com>
>
> * libc/stdlib/mallocr.c (malloc_extend_top): Add patch from
> 2.6.5 version of Doug Lea's malloc which is the basis of
> this code.
>
> http://sourceware.org/ml/newlib-cvs/2006-q4/msg00070.html
>
> However, if you look at Jeff's patch closely, it is the opposite of
> the change from V2.6.4 to V2.6.5. Jeff's patch moves set_head_size a
> few lines *later*, whereas Doug's change moves set_head_size a few
> lines *earlier*.
>
> Here is what I think happened:
>
> 1996-05-19
> Doug Lea released v2.6.3.
>
> 1998-06-17
> Doug Lea released v2.6.5, which included the fix mentioned in this
> patch.
>
> Sometime between 1998-06-17 and 2000-02-17 (the date of newlib CVS
> import)
> Somebody either backported the fix mentioned in this patch without
> comments or independently came up with an identical fix.
>
> 2006-12-18
> Jeff Johnston committed his change above.
>
> FWIW, Doug's versions are available from:
>
> ftp://gee.cs.oswego.edu/pub/misc/
>
> Here is a quick description of the failure mode without this patch. I
> hope you'll excuse me for skipping some details here as it would take
> me quite a bit of write up to go through the failure mode in complete
> details.
>
> Note that free() attempts to consolidate the newly deallocated chunk
> and surrounding areas (both below and above). Now, suppose:
>
> malloc_extend_top() calls sbrk()<- Call this Block A
> malloc() is called many times
> malloc() allocates last time from Block A<- Call this pointer P
> somebody else calls sbrk()<- Call this Block B
> malloc_extend_top() calls sbrk()<- Call this Block C
>
> in this chronological order. Since Block A and Block C are not
> contiguous due to Block B, the second call to malloc_extend_top()
> installs a couple of dummy used chunks between P and the end of Block
> A to prevent free(P) from consolidating P and the area above P. (The
> source code refers to these dummy chunks as "double fencepost".) Now
> without this patch, the dummy used chunks are not set up correctly,
> which causes free() to dereference an address stored in an
> uninitilized memory location.
>
> In any event, if we backport the fix, I think it's good idea to do so
> completely, including comments and version numbers. Otherwise, we
> wouldn't know what version mallocr.c is based on. You can think of
> this patch to rebase mallocr.c to Version 2.6.5.
>
> Tested on a Cortex-M3 chip. OK to apply?
>
> Kazu Hirata
>
> 2010-05-30 Kazu Hirata<kazu@codesourcery.com>
>
> * libc/stdlib/mallocr.c (malloc_extend_top): Backport the
> difference between versions 2.6.4 and 2.6.5.
>
> Index: newlib/libc/stdlib/mallocr.c
> ===================================================================
> RCS file: /cvs/src/src/newlib/libc/stdlib/mallocr.c,v
> retrieving revision 1.17
> diff -u -r1.17 mallocr.c
> --- newlib/libc/stdlib/mallocr.c 28 Sep 2009 16:42:21 -0000 1.17
> +++ newlib/libc/stdlib/mallocr.c 31 May 2010 01:02:49 -0000
> @@ -8,12 +8,17 @@
> public domain. Send questions/comments/complaints/performance data
> to dl@cs.oswego.edu
>
> -* VERSION 2.6.4 Thu Nov 28 07:54:55 1996 Doug Lea (dl at gee)
> +* VERSION 2.6.5 Wed Jun 17 15:55:16 1998 Doug Lea (dl at gee)
>
> Note: There may be an updated version of this malloc obtainable at
> ftp://g.oswego.edu/pub/misc/malloc.c
> Check before installing!
>
> + Note: This version differs from 2.6.4 only by correcting a
> + statement ordering error that could cause failures only
> + when calls to this malloc are interposed with calls to
> + other memory allocators.
> +
> * Why use this malloc?
>
> This is not the fastest, most space-conserving, most portable, or
> @@ -2223,11 +2228,11 @@
>
> /* Also keep size a multiple of MALLOC_ALIGNMENT */
> old_top_size = (old_top_size - 3*SIZE_SZ)& ~MALLOC_ALIGN_MASK;
> + set_head_size(old_top, old_top_size);
> chunk_at_offset(old_top, old_top_size )->size =
> SIZE_SZ|PREV_INUSE;
> chunk_at_offset(old_top, old_top_size + SIZE_SZ)->size =
> SIZE_SZ|PREV_INUSE;
> - set_head_size(old_top, old_top_size);
> /* If possible, release the rest. */
> if (old_top_size>= MINSIZE)
> fREe(RCALL chunk2mem(old_top));
> @@ -3606,6 +3611,9 @@
>
> History:
>
> + V2.6.5 Wed Jun 17 15:57:31 1998 Doug Lea (dl at gee)
> + * Fixed ordering problem with boundary-stamping
> +
> V2.6.3 Sun May 19 08:17:58 1996 Doug Lea (dl at gee)
> * Added pvalloc, as recommended by H.J. Liu
> * Added 64bit pointer support mainly from Wolfram Gloger
More information about the Newlib
mailing list