This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH v2 1/7] malloc: Add check for top size corruption.

From: Florian Weimer <fweimer at redhat dot com>
To: Istvan Kurucsai <pistukem at gmail dot com>
Cc: libc-alpha at sourceware dot org
Date: Tue, 20 Feb 2018 14:45:44 +0100
Subject: Re: [PATCH v2 1/7] malloc: Add check for top size corruption.
Authentication-results: sourceware.org; auth=none
References: <1510068430-27816-1-git-send-email-pistukem@gmail.com> <1510068430-27816-2-git-send-email-pistukem@gmail.com> <5037e896-ae8c-e933-a221-22d9dd713502@redhat.com> <CAHJ3J3kY=mF=APb2hoWK4LWUZ6Eo484wPB2T3BfhDySjA95+JQ@mail.gmail.com>

On 01/16/2018 01:05 PM, Istvan Kurucsai wrote:

Andreas already pointed out style issues.

I'm somewhat surprised that we have accurate accounting in av->system_mem.

Furthermore, for non-main arenas, I think the check should be against the
size of a single heap, or maybe the minimum of av->system_mem and that size.


I thought about this and believe that we can ensure something more
strict: that the end of the top chunk is the same as the end of the
arena (contiguous main_arena case) or the heap (mmapped arena case),
see below. Tests passed but I'm a bit uncertain if these invariants
are always held.


Ensure that the end of the top chunk is the same as
  the end of the arena/heap.

     * malloc/malloc.c (_int_malloc): Check top size.
---
  malloc/malloc.c | 29 +++++++++++++++++++++++++++++
  1 file changed, 29 insertions(+)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index f5aafd2..fd0f001 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2251,6 +2251,33 @@ do_check_malloc_state (mstate av)
  }
  #endif

+static bool
+valid_top_chunk (mstate av, mchunkptr top)
+{
+  size_t size = chunksize(top);
+
+  assert (av);

I think we can drop that assert, it is implied by the pointerdereference in the subsequent assert.

+  assert (av->top != initial_top (av));
+
+  if (av == &main_arena)
+    {
+      if ((contiguous (&main_arena)
+          && __glibc_unlikely ((uintptr_t) top + size
+                               != (uintptr_t) mp_.sbrk_base + av->system_mem))
+          || (!contiguous (&main_arena)
+              && __glibc_unlikely (size > av->system_mem)))
+        return false;
+    }
+  else
+    {
+      heap_info *heap = heap_for_ptr (top);
+      uintptr_t heap_end = (uintptr_t) heap + heap->size;
+      if (__glibc_unlikely ((uintptr_t) top + size != heap_end))
+        return false;
+    }
+
+  return true;
+}


I wonder if it is possible to write this in a slightly clearer way.

Maybe add a nested if (contiguous (&main_arena)) for the first branch,and directly return the value of the inner-most conditional?


Thanks,
Florian

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]