|
 |
bdc76f |
commit c0e82f117357a941e4d40fcc08babbd6a3c3a1b5
|
|
|
bdc76f |
Author: Istvan Kurucsai <pistukem@gmail.com>
|
|
|
bdc76f |
Date: Fri Dec 21 00:13:01 2018 -0500
|
|
|
bdc76f |
|
|
|
bdc76f |
malloc: Check the alignment of mmapped chunks before unmapping.
|
|
|
bdc76f |
|
|
|
bdc76f |
* malloc/malloc.c (munmap_chunk): Verify chunk alignment.
|
|
|
bdc76f |
|
|
|
bdc76f |
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
|
bdc76f |
index 4df5cb4862a7b854..4412a4ffc83b013b 100644
|
|
|
bdc76f |
--- a/malloc/malloc.c
|
|
|
bdc76f |
+++ b/malloc/malloc.c
|
|
|
bdc76f |
@@ -2817,6 +2817,7 @@ systrim (size_t pad, mstate av)
|
|
|
bdc76f |
static void
|
|
|
bdc76f |
munmap_chunk (mchunkptr p)
|
|
|
bdc76f |
{
|
|
|
bdc76f |
+ size_t pagesize = GLRO (dl_pagesize);
|
|
|
bdc76f |
INTERNAL_SIZE_T size = chunksize (p);
|
|
|
bdc76f |
|
|
|
bdc76f |
assert (chunk_is_mmapped (p));
|
|
|
bdc76f |
@@ -2826,6 +2827,7 @@ munmap_chunk (mchunkptr p)
|
|
|
bdc76f |
if (DUMPED_MAIN_ARENA_CHUNK (p))
|
|
|
bdc76f |
return;
|
|
|
bdc76f |
|
|
|
bdc76f |
+ uintptr_t mem = (uintptr_t) chunk2mem (p);
|
|
|
bdc76f |
uintptr_t block = (uintptr_t) p - prev_size (p);
|
|
|
bdc76f |
size_t total_size = prev_size (p) + size;
|
|
|
bdc76f |
/* Unfortunately we have to do the compilers job by hand here. Normally
|
|
|
bdc76f |
@@ -2833,7 +2835,8 @@ munmap_chunk (mchunkptr p)
|
|
|
bdc76f |
page size. But gcc does not recognize the optimization possibility
|
|
|
bdc76f |
(in the moment at least) so we combine the two values into one before
|
|
|
bdc76f |
the bit test. */
|
|
|
bdc76f |
- if (__builtin_expect (((block | total_size) & (GLRO (dl_pagesize) - 1)) != 0, 0))
|
|
|
bdc76f |
+ if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0
|
|
|
bdc76f |
+ || __glibc_unlikely (!powerof2 (mem & (pagesize - 1))))
|
|
|
bdc76f |
malloc_printerr ("munmap_chunk(): invalid pointer");
|
|
|
bdc76f |
|
|
|
bdc76f |
atomic_decrement (&mp_.n_mmaps);
|