From patchwork Tue Nov 7 15:27:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Istvan Kurucsai X-Patchwork-Id: 24143 Received: (qmail 72577 invoked by alias); 7 Nov 2017 15:27:37 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 72464 invoked by uid 89); 7 Nov 2017 15:27:37 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, SPF_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1352 X-HELO: mail-wm0-f65.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=JNJD8wQ4jNgQojCk3W3jvPz4/9G7EZ/28/mCyV3XASI=; b=BON0m2QLf7+rGq2+Q7/yJnAy72vgoCUUZ4OR4uXiuC8Sn6oXVQCzC7FZUFgUldB1GB CZ0P6YN7i0ZM7raVmoOlwxWhn3A+lkq9L7P43RtVA9T8L/n6LJMX3wTRVPSGU80DQEAm dVTv0M3c3oRRWL4yXPjOqebzqQEo+X1OhFY2zMXEMvKg6bqyTlP31lF49v72g2yTymbC TbE273/fkvDYBo8IX/3EAW93Cu2ZtK1DH5niGLRWtO7SmNizR+wDIiTsaspCwp1huxIW 59PmJ302tNrenZENkjcg6ZUv4HFeqNxywCZ44o2dwBqRStuu8fAzzKlkMsCm8bqrACoK YflQ== X-Gm-Message-State: AJaThX71Ka85+5XbuWjeoB48WSeR8wu103MIZ9lTTlNFA7PCieJece2T yJm/XlS+E1ERNCaZhMxlyYxzXVWs X-Google-Smtp-Source: ABhQp+Q/40ei8mjf+aemP42qg68lwzNNQSCGHmNa1YObohwU3TjFULZjUYbQ5Cl/GzPIXNQBEZs0qA== X-Received: by 10.28.65.133 with SMTP id o127mr1848205wma.146.1510068448726; Tue, 07 Nov 2017 07:27:28 -0800 (PST) From: Istvan Kurucsai To: libc-alpha@sourceware.org Cc: Istvan Kurucsai Subject: [PATCH v2 7/7] malloc: Check the alignment of mmapped chunks before unmapping. Date: Tue, 7 Nov 2017 16:27:10 +0100 Message-Id: <1510068430-27816-8-git-send-email-pistukem@gmail.com> In-Reply-To: <1510068430-27816-1-git-send-email-pistukem@gmail.com> References: <1510068430-27816-1-git-send-email-pistukem@gmail.com> * malloc/malloc.c (munmap_chunk): Verify chunk alignment. --- malloc/malloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 1a2ba04..0df4f14 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -2819,6 +2819,7 @@ systrim (size_t pad, mstate av) static void munmap_chunk (mchunkptr p) { + size_t pagesize = GLRO (dl_pagesize); INTERNAL_SIZE_T size = chunksize (p); assert (chunk_is_mmapped (p)); @@ -2828,6 +2829,7 @@ munmap_chunk (mchunkptr p) if (DUMPED_MAIN_ARENA_CHUNK (p)) return; + uintptr_t mem = (uintptr_t) chunk2mem(p); uintptr_t block = (uintptr_t) p - prev_size (p); size_t total_size = prev_size (p) + size; /* Unfortunately we have to do the compilers job by hand here. Normally @@ -2835,7 +2837,8 @@ munmap_chunk (mchunkptr p) page size. But gcc does not recognize the optimization possibility (in the moment at least) so we combine the two values into one before the bit test. */ - if (__builtin_expect (((block | total_size) & (GLRO (dl_pagesize) - 1)) != 0, 0)) + if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0 + || __glibc_unlikely (!powerof2 (mem & (pagesize - 1)))) malloc_printerr ("munmap_chunk(): invalid pointer"); atomic_decrement (&mp_.n_mmaps);