| Message ID | 1510068430-27816-3-git-send-email-pistukem@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | Additional integrity checks for the malloc | expand |
On 11/07/2017 04:27 PM, Istvan Kurucsai wrote: > + next = chunk_at_offset (victim, size); For new code, we prefer declarations with initializers. > + if (__glibc_unlikely (chunksize_nomask (victim) <= 2 * SIZE_SZ) > + || __glibc_unlikely (chunksize_nomask (victim) > av->system_mem)) > + malloc_printerr("malloc(): invalid size (unsorted)"); > + if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ) > + || __glibc_unlikely (chunksize_nomask (next) > av->system_mem)) > + malloc_printerr("malloc(): invalid next size (unsorted)"); > + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size)) > + malloc_printerr("malloc(): mismatching next->prev_size (unsorted)"); I think this check is redundant because prev_size (next) and chunksize (victim) are loaded from the same memory location. > + if (__glibc_unlikely (bck->fd != victim) > + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) > + malloc_printerr("malloc(): unsorted double linked list corrupted"); > + if (__glibc_unlikely (prev_inuse(next))) > + malloc_printerr("malloc(): invalid next->prev_inuse (unsorted)"); There's a missing space after malloc_printerr. Why do you keep using chunksize_nomask? We never investigated why the original code uses it. It may have been an accident. Again, for non-main arenas, the checks against av->system_mem could be made tighter (against the heap size). Maybe you could put the condition into a separate inline function? Thanks, Florian
On Thu, Jan 11, 2018 at 3:50 PM, Florian Weimer <fweimer@redhat.com> wrote: > On 11/07/2017 04:27 PM, Istvan Kurucsai wrote: >> >> + next = chunk_at_offset (victim, size); > > > For new code, we prefer declarations with initializers. Noted. >> + if (__glibc_unlikely (chunksize_nomask (victim) <= 2 * SIZE_SZ) >> + || __glibc_unlikely (chunksize_nomask (victim) > >> av->system_mem)) >> + malloc_printerr("malloc(): invalid size (unsorted)"); >> + if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ) >> + || __glibc_unlikely (chunksize_nomask (next) > >> av->system_mem)) >> + malloc_printerr("malloc(): invalid next size (unsorted)"); >> + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != >> size)) >> + malloc_printerr("malloc(): mismatching next->prev_size >> (unsorted)"); > > > I think this check is redundant because prev_size (next) and chunksize > (victim) are loaded from the same memory location. I'm fairly certain that it compares mchunk_size of victim against mchunk_prev_size of the next chunk, i.e. the size of victim in its header and footer. >> + if (__glibc_unlikely (bck->fd != victim) >> + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) >> + malloc_printerr("malloc(): unsorted double linked list >> corrupted"); >> + if (__glibc_unlikely (prev_inuse(next))) >> + malloc_printerr("malloc(): invalid next->prev_inuse >> (unsorted)"); > > > There's a missing space after malloc_printerr. Noted. > Why do you keep using chunksize_nomask? We never investigated why the > original code uses it. It may have been an accident. You are right, I don't think it makes a difference in these checks. So the size local can be reused for the checks against victim. For next, leaving it as such avoids the masking operation. > Again, for non-main arenas, the checks against av->system_mem could be made > tighter (against the heap size). Maybe you could put the condition into a > separate inline function? We could also do a chunk boundary check similar to what I proposed in the thread for the first patch in the series to be even more strict. I'll gladly try to implement either but believe that refining these checks would bring less benefits than in the case of the top chunk. Intra-arena or intra-heap overlaps would still be doable here with unsorted chunks and I don't see any way to counter that besides more generic measures like randomizing allocations and your metadata encoding patches. I've attached a revised version with the above comments incorporated but without the refined checks. Thanks, Istvan From a12d5d40fd7aed5fa10fc444dcb819947b72b315 Mon Sep 17 00:00:00 2001 From: Istvan Kurucsai <pistukem@gmail.com> Date: Tue, 16 Jan 2018 14:48:16 +0100 Subject: [PATCH v2 1/1] malloc: Additional checks for unsorted bin integrity I. Ensure the following properties of chunks encountered during binning: - victim chunk has reasonable size - next chunk has reasonable size - next->prev_size == victim->size - valid double linked list - PREV_INUSE of next chunk is unset * malloc/malloc.c (_int_malloc): Additional binning code checks. --- malloc/malloc.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index f5aafd2..73f7aba 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3728,11 +3728,22 @@ _int_malloc (mstate av, size_t bytes) while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av)) { bck = victim->bk; - if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0) - || __builtin_expect (chunksize_nomask (victim) - > av->system_mem, 0)) - malloc_printerr ("malloc(): memory corruption"); size = chunksize (victim); + mchunkptr next = chunk_at_offset (victim, size); + + if (__glibc_unlikely (size <= 2 * SIZE_SZ) + || __glibc_unlikely (size > av->system_mem)) + malloc_printerr ("malloc(): invalid size (unsorted)"); + if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ) + || __glibc_unlikely (chunksize_nomask (next) > av->system_mem)) + malloc_printerr ("malloc(): invalid next size (unsorted)"); + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size)) + malloc_printerr ("malloc(): mismatching next->prev_size (unsorted)"); + if (__glibc_unlikely (bck->fd != victim) + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) + malloc_printerr ("malloc(): unsorted double linked list corrupted"); + if (__glibc_unlikely (prev_inuse(next))) + malloc_printerr ("malloc(): invalid next->prev_inuse (unsorted)"); /* If a small request, try to use last remainder if it is the
On 01/16/2018 02:54 PM, Istvan Kurucsai wrote: > + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size)) > + malloc_printerr ("malloc(): mismatching next->prev_size (unsorted)"); Is the masking required? I think prev_size is stored without the bits. > + if (__glibc_unlikely (bck->fd != victim) > + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) > + malloc_printerr ("malloc(): unsorted double linked list corrupted"); > + if (__glibc_unlikely (prev_inuse(next))) > + malloc_printerr ("malloc(): invalid next->prev_inuse (unsorted)"); Space missing after prev_inuse. Otherwise, this looks okay. Thanks, Florian
On 08/17/2018 04:07 PM, Florian Weimer wrote: > On 01/16/2018 02:54 PM, Istvan Kurucsai wrote: >> + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != >> size)) >> + malloc_printerr ("malloc(): mismatching next->prev_size >> (unsorted)"); > > Is the masking required? I think prev_size is stored without the bits. > >> + if (__glibc_unlikely (bck->fd != victim) >> + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) >> + malloc_printerr ("malloc(): unsorted double linked list >> corrupted"); >> + if (__glibc_unlikely (prev_inuse(next))) >> + malloc_printerr ("malloc(): invalid next->prev_inuse >> (unsorted)"); > > Space missing after prev_inuse. > > Otherwise, this looks okay. I accidentally pushed this without a ChangeLog entry. Fixed with the attached patch. Sorry about that. Florian From 35cfefd96062145eeb8aee6bd72d07e0909a6b2e Mon Sep 17 00:00:00 2001 Message-Id: <35cfefd96062145eeb8aee6bd72d07e0909a6b2e.1534769912.git.fweimer@redhat.com> From: Florian Weimer <fweimer@redhat.com> Date: Mon, 20 Aug 2018 14:57:13 +0200 Subject: [PATCH] malloc: Add ChangeLog for accidentally committed change To: libc-alpha@sourceware.org Commit b90ddd08f6dd688e651df9ee89ca3a69ff88cd0c ("malloc: Additional checks for unsorted bin integrity I.") was committed without a whitespace fix, so it is adjusted here as well. --- ChangeLog | 4 ++++ malloc/malloc.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index deb099483f..56ab51d1b8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,10 @@ * sysdeps/s390/fpu/libm-test-ulps: Regenerate. +2018-08-17 Istvan Kurucsai <pistukem@gmail.com> + + * malloc/malloc.c (_int_malloc): Additional binning code checks. + 2018-08-16 Florian Weimer <fweimer@redhat.com> * configure.ac: Add --with-nonshared-cflags option. diff --git a/malloc/malloc.c b/malloc/malloc.c index 47795601c8..67cdfd0ad2 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3730,7 +3730,7 @@ _int_malloc (mstate av, size_t bytes) if (__glibc_unlikely (bck->fd != victim) || __glibc_unlikely (victim->fd != unsorted_chunks (av))) malloc_printerr ("malloc(): unsorted double linked list corrupted"); - if (__glibc_unlikely (prev_inuse(next))) + if (__glibc_unlikely (prev_inuse (next))) malloc_printerr ("malloc(): invalid next->prev_inuse (unsorted)"); /*
diff --git a/malloc/malloc.c b/malloc/malloc.c index 4a30c42..d3fac7e 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3513,6 +3513,7 @@ _int_malloc (mstate av, size_t bytes) INTERNAL_SIZE_T size; /* its size */ int victim_index; /* its bin index */ + mchunkptr next; /* next contiguous chunk */ mchunkptr remainder; /* remainder from a split */ unsigned long remainder_size; /* its size */ @@ -3718,11 +3719,22 @@ _int_malloc (mstate av, size_t bytes) while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av)) { bck = victim->bk; - if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0) - || __builtin_expect (chunksize_nomask (victim) - > av->system_mem, 0)) - malloc_printerr ("malloc(): memory corruption"); size = chunksize (victim); + next = chunk_at_offset (victim, size); + + if (__glibc_unlikely (chunksize_nomask (victim) <= 2 * SIZE_SZ) + || __glibc_unlikely (chunksize_nomask (victim) > av->system_mem)) + malloc_printerr("malloc(): invalid size (unsorted)"); + if (__glibc_unlikely (chunksize_nomask (next) < 2 * SIZE_SZ) + || __glibc_unlikely (chunksize_nomask (next) > av->system_mem)) + malloc_printerr("malloc(): invalid next size (unsorted)"); + if (__glibc_unlikely ((prev_size (next) & ~(SIZE_BITS)) != size)) + malloc_printerr("malloc(): mismatching next->prev_size (unsorted)"); + if (__glibc_unlikely (bck->fd != victim) + || __glibc_unlikely (victim->fd != unsorted_chunks (av))) + malloc_printerr("malloc(): unsorted double linked list corrupted"); + if (__glibc_unlikely (prev_inuse(next))) + malloc_printerr("malloc(): invalid next->prev_inuse (unsorted)"); /* If a small request, try to use last remainder if it is the
Ensure the following properties of chunks encountered during binning: - victim chunk has reasonable size - next chunk has reasonable size - next->prev_size == victim->size - valid double linked list - PREV_INUSE of next chunk is unset * malloc/malloc.c (_int_malloc): Additional binning code checks. --- malloc/malloc.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-)