From patchwork Tue Nov 7 15:27:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Istvan Kurucsai X-Patchwork-Id: 24138 Received: (qmail 69511 invoked by alias); 7 Nov 2017 15:27:27 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 69289 invoked by uid 89); 7 Nov 2017 15:27:26 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.4 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, SPF_PASS autolearn=ham version=3.3.2 spammy=corrupted, integrity X-HELO: mail-wm0-f66.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=z+7rNbzIRiqhFMXon48oEAPwRvTuaRNhaODmo1ARm0o=; b=rEkDQ5HG6+9Q/mP6Ih20b45GuvJjCI6INGO8WM55qGyXZI1QfXTlwRaAq4PoumCU01 9qpr6007csHpGGdVaOk4fd5RSgNWZuK13k8ptc7hp4XAm04UHvCLiE3wbOJ0M1eGCW9W 3jlheqHepjnDC1NZr5RuqvQSUR20VmrusZkkweDeiEAvCqOj8b2zI7ilQgJLuKCRDL5K s/81CqE4khwxX3lHUkuimKODvckf+GLTpE1e8WYRhMvg7fhAu6FM16p6+GC/CSf6neEM IDTvI2+t80bSqeZUYLpbO3zb/EY7X9CXnebaQ5BoWUHbrzrrzhC/Hu8XhVvKa/3WAiWs MRfQ== X-Gm-Message-State: AJaThX5ibD40FHR6ZwT9PNtjUuZ3+FN6XAvLyNNfdrmxlrsPyGB8yxjS SQP6Ly0ojPnHnO7bNH1qLrSdRQwf X-Google-Smtp-Source: ABhQp+QSYxSHlebWp4kGSgqAAooH53R0UE3u18h1oySO8bikyXDkYzQl/9GGLwceGG+2bQWVql5GdQ== X-Received: by 10.28.28.138 with SMTP id c132mr1650078wmc.48.1510068443148; Tue, 07 Nov 2017 07:27:23 -0800 (PST) From: Istvan Kurucsai To: libc-alpha@sourceware.org Cc: Istvan Kurucsai Subject: [PATCH v2 2/7] malloc: Additional checks for unsorted bin integrity I. Date: Tue, 7 Nov 2017 16:27:05 +0100 Message-Id: <1510068430-27816-3-git-send-email-pistukem@gmail.com> In-Reply-To: <1510068430-27816-1-git-send-email-pistukem@gmail.com> References: <1510068430-27816-1-git-send-email-pistukem@gmail.com> Ensure the following properties of chunks encountered during binning: - victim chunk has reasonable size - next chunk has reasonable size - next->prev_size == victim->size - valid double linked list - PREV_INUSE of next chunk is unset * malloc/malloc.c (_int_malloc): Additional binning code checks. --- malloc/malloc.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 4a30c42..d3fac7e 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3513,6 +3513,7 @@ _int_malloc (mstate av, size_t bytes) INTERNAL_SIZE_T size; /* its size */ int victim_index; /* its bin index */ + mchunkptr next; /* next contiguous chunk */ mchunkptr remainder; /* remainder from a split */ unsigned long remainder_size; /* its size */ @@ -3718,11 +3719,22 @@ _int_malloc (mstate av, size_t bytes) while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av)) { bck = victim->bk; - if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0) - || __builtin_expect (chunksize_nomask (victim) - > av->system_mem, 0)) - malloc_printerr ("malloc(): memory corruption"); size = chunksize (victim); + next = chunk_at_offset (victim, size); + + if (__glibc_unlikely (chunksize_nomask (victim) <= 2 * SIZE_SZ) + || __glibc_unlikely (chunksize_nomask (victim) > av->system_mem)) + malloc_printerr("malloc(): invalid size (unsorted)"); + if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ) + || __glibc_unlikely (chunksize_nomask (next) > av->system_mem)) + malloc_printerr("malloc(): invalid next size (unsorted)"); + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size)) + malloc_printerr("malloc(): mismatching next->prev_size (unsorted)"); + if (__glibc_unlikely (bck->fd != victim) + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) + malloc_printerr("malloc(): unsorted double linked list corrupted"); + if (__glibc_unlikely (prev_inuse(next))) + malloc_printerr("malloc(): invalid next->prev_inuse (unsorted)"); /* If a small request, try to use last remainder if it is the