diff options
| author | otto <> | 2020-10-09 16:01:48 +0000 |
|---|---|---|
| committer | otto <> | 2020-10-09 16:01:48 +0000 |
| commit | acf6e4c16993f0fa6153452c6141084e0c84afc3 (patch) | |
| tree | 5f006f2e2f69ae08ff1ce3886400c41f1d6acc25 | |
| parent | 2424def27f18b5d0b37aefa364571fdba14bb57d (diff) | |
| download | openbsd-acf6e4c16993f0fa6153452c6141084e0c84afc3.tar.gz openbsd-acf6e4c16993f0fa6153452c6141084e0c84afc3.tar.bz2 openbsd-acf6e4c16993f0fa6153452c6141084e0c84afc3.zip | |
As noted by tb@ previous commit only removed an unused fucntion.
So redo previous commit properly:
Use random value for canary bytes; ok tb@.
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index e979428b23..a62bfac3e5 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: malloc.c,v 1.264 2020/10/06 06:31:14 otto Exp $ */ | 1 | /* $OpenBSD: malloc.c,v 1.265 2020/10/09 16:01:48 otto Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> | 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> |
| 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> | 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> |
| @@ -193,7 +193,7 @@ struct malloc_readonly { | |||
| 193 | int def_malloc_junk; /* junk fill? */ | 193 | int def_malloc_junk; /* junk fill? */ |
| 194 | int malloc_realloc; /* always realloc? */ | 194 | int malloc_realloc; /* always realloc? */ |
| 195 | int malloc_xmalloc; /* xmalloc behaviour? */ | 195 | int malloc_xmalloc; /* xmalloc behaviour? */ |
| 196 | int chunk_canaries; /* use canaries after chunks? */ | 196 | u_int chunk_canaries; /* use canaries after chunks? */ |
| 197 | int internal_funcs; /* use better recallocarray/freezero? */ | 197 | int internal_funcs; /* use better recallocarray/freezero? */ |
| 198 | u_int def_malloc_cache; /* free pages we cache */ | 198 | u_int def_malloc_cache; /* free pages we cache */ |
| 199 | size_t malloc_guard; /* use guard pages after allocations? */ | 199 | size_t malloc_guard; /* use guard pages after allocations? */ |
| @@ -468,6 +468,11 @@ omalloc_init(void) | |||
| 468 | 468 | ||
| 469 | while ((mopts.malloc_canary = arc4random()) == 0) | 469 | while ((mopts.malloc_canary = arc4random()) == 0) |
| 470 | ; | 470 | ; |
| 471 | if (mopts.chunk_canaries) | ||
| 472 | do { | ||
| 473 | mopts.chunk_canaries = arc4random(); | ||
| 474 | } while ((u_char)mopts.chunk_canaries == 0 || | ||
| 475 | (u_char)mopts.chunk_canaries == SOME_FREEJUNK); | ||
| 471 | } | 476 | } |
| 472 | 477 | ||
| 473 | static void | 478 | static void |
| @@ -918,7 +923,7 @@ fill_canary(char *ptr, size_t sz, size_t allocated) | |||
| 918 | 923 | ||
| 919 | if (check_sz > CHUNK_CHECK_LENGTH) | 924 | if (check_sz > CHUNK_CHECK_LENGTH) |
| 920 | check_sz = CHUNK_CHECK_LENGTH; | 925 | check_sz = CHUNK_CHECK_LENGTH; |
| 921 | memset(ptr + sz, SOME_JUNK, check_sz); | 926 | memset(ptr + sz, mopts.chunk_canaries, check_sz); |
| 922 | } | 927 | } |
| 923 | 928 | ||
| 924 | /* | 929 | /* |
| @@ -1019,7 +1024,7 @@ validate_canary(struct dir_info *d, u_char *ptr, size_t sz, size_t allocated) | |||
| 1019 | q = p + check_sz; | 1024 | q = p + check_sz; |
| 1020 | 1025 | ||
| 1021 | while (p < q) { | 1026 | while (p < q) { |
| 1022 | if (*p != SOME_JUNK) { | 1027 | if (*p != (u_char)mopts.chunk_canaries && *p != SOME_JUNK) { |
| 1023 | wrterror(d, "chunk canary corrupted %p %#tx@%#zx%s", | 1028 | wrterror(d, "chunk canary corrupted %p %#tx@%#zx%s", |
| 1024 | ptr, p - ptr, sz, | 1029 | ptr, p - ptr, sz, |
| 1025 | *p == SOME_FREEJUNK ? " (double free?)" : ""); | 1030 | *p == SOME_FREEJUNK ? " (double free?)" : ""); |