[v2,1/7] malloc: Add check for top size corruption.
Commit Message
Ensure that the size of top is below av->system_mem.
* malloc/malloc.c (_int_malloc): Check top size.
---
malloc/malloc.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On Nov 07 2017, Istvan Kurucsai <pistukem@gmail.com> wrote:
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index f94d51c..4a30c42 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -4078,6 +4078,10 @@ _int_malloc (mstate av, size_t bytes)
>
> if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
> {
> + if (__glibc_unlikely ((unsigned long) (size) >
> + (unsigned long) (av->system_mem)))
Line break before operator, not after. Redundant parens.
> + malloc_printerr("malloc(): corrupted top chunk");
Space before paren.
Andreas.
On 11/07/2017 04:27 PM, Istvan Kurucsai wrote:
> Ensure that the size of top is below av->system_mem.
>
> * malloc/malloc.c (_int_malloc): Check top size.
> ---
> malloc/malloc.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index f94d51c..4a30c42 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -4078,6 +4078,10 @@ _int_malloc (mstate av, size_t bytes)
>
> if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
> {
> + if (__glibc_unlikely ((unsigned long) (size) >
> + (unsigned long) (av->system_mem)))
> + malloc_printerr("malloc(): corrupted top chunk");
> +
Andreas already pointed out style issues.
I'm somewhat surprised that we have accurate accounting in av->system_mem.
Furthermore, for non-main arenas, I think the check should be against
the size of a single heap, or maybe the minimum of av->system_mem and
that size.
Thanks,
Florian
@@ -4078,6 +4078,10 @@ _int_malloc (mstate av, size_t bytes)
if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
{
+ if (__glibc_unlikely ((unsigned long) (size) >
+ (unsigned long) (av->system_mem)))
+ malloc_printerr("malloc(): corrupted top chunk");
+
remainder_size = size - nb;
remainder = chunk_at_offset (victim, nb);
av->top = remainder;