diff options
| author | otto <> | 2023-04-01 18:47:51 +0000 |
|---|---|---|
| committer | otto <> | 2023-04-01 18:47:51 +0000 |
| commit | cf724aab877ffcaa29549a1e190b9568d842d1ba (patch) | |
| tree | a23931f52eaf7be0023b8e426ad5ffe04a37b225 | |
| parent | 604fa219220a50c15886d5418cc74626c6da26b7 (diff) | |
| download | openbsd-cf724aab877ffcaa29549a1e190b9568d842d1ba.tar.gz openbsd-cf724aab877ffcaa29549a1e190b9568d842d1ba.tar.bz2 openbsd-cf724aab877ffcaa29549a1e190b9568d842d1ba.zip | |
Check all chunks in the delayed free list for write-after-free.
Should catch more of them and closer (in time) to the WAF. ok tb@
| -rw-r--r-- | src/lib/libc/stdlib/malloc.3 | 7 | ||||
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 26 |
2 files changed, 25 insertions, 8 deletions
diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3 index 9bd498ab50..b35b9220f6 100644 --- a/src/lib/libc/stdlib/malloc.3 +++ b/src/lib/libc/stdlib/malloc.3 | |||
| @@ -30,9 +30,9 @@ | |||
| 30 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 30 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 31 | .\" SUCH DAMAGE. | 31 | .\" SUCH DAMAGE. |
| 32 | .\" | 32 | .\" |
| 33 | .\" $OpenBSD: malloc.3,v 1.129 2022/03/31 17:27:16 naddy Exp $ | 33 | .\" $OpenBSD: malloc.3,v 1.130 2023/04/01 18:47:51 otto Exp $ |
| 34 | .\" | 34 | .\" |
| 35 | .Dd $Mdocdate: March 31 2022 $ | 35 | .Dd $Mdocdate: April 1 2023 $ |
| 36 | .Dt MALLOC 3 | 36 | .Dt MALLOC 3 |
| 37 | .Os | 37 | .Os |
| 38 | .Sh NAME | 38 | .Sh NAME |
| @@ -293,7 +293,8 @@ order to have any effect. | |||
| 293 | .It Cm F | 293 | .It Cm F |
| 294 | .Dq Freecheck . | 294 | .Dq Freecheck . |
| 295 | Enable more extensive double free and use after free detection. | 295 | Enable more extensive double free and use after free detection. |
| 296 | All chunks in the delayed free list will be checked for double frees. | 296 | All chunks in the delayed free list will be checked for double frees and |
| 297 | write after frees. | ||
| 297 | Unused pages on the freelist are read and write protected to | 298 | Unused pages on the freelist are read and write protected to |
| 298 | cause a segmentation fault upon access. | 299 | cause a segmentation fault upon access. |
| 299 | .It Cm G | 300 | .It Cm G |
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index c049b2da54..2ac4b73ec0 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: malloc.c,v 1.278 2023/03/25 15:22:06 otto Exp $ */ | 1 | /* $OpenBSD: malloc.c,v 1.279 2023/04/01 18:47:51 otto Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> | 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> |
| 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> | 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> |
| @@ -1554,11 +1554,25 @@ ofree(struct dir_info **argpool, void *p, int clear, int check, size_t argsz) | |||
| 1554 | find_chunknum(pool, info, p, mopts.chunk_canaries); | 1554 | find_chunknum(pool, info, p, mopts.chunk_canaries); |
| 1555 | 1555 | ||
| 1556 | if (mopts.malloc_freecheck) { | 1556 | if (mopts.malloc_freecheck) { |
| 1557 | for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++) | 1557 | for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++) { |
| 1558 | if (p == pool->delayed_chunks[i]) | 1558 | tmp = pool->delayed_chunks[i]; |
| 1559 | if (tmp == p) | ||
| 1559 | wrterror(pool, | 1560 | wrterror(pool, |
| 1560 | "double free %p", p); | 1561 | "double free %p", p); |
| 1562 | if (tmp != NULL) { | ||
| 1563 | size_t tmpsz; | ||
| 1564 | |||
| 1565 | r = find(pool, tmp); | ||
| 1566 | if (r == NULL) | ||
| 1567 | wrterror(pool, | ||
| 1568 | "bogus pointer (" | ||
| 1569 | "double free?) %p", tmp); | ||
| 1570 | REALSIZE(tmpsz, r); | ||
| 1571 | validate_junk(pool, tmp, tmpsz); | ||
| 1572 | } | ||
| 1573 | } | ||
| 1561 | } | 1574 | } |
| 1575 | |||
| 1562 | if (clear && argsz > 0) | 1576 | if (clear && argsz > 0) |
| 1563 | explicit_bzero(p, argsz); | 1577 | explicit_bzero(p, argsz); |
| 1564 | junk_free(pool->malloc_junk, p, sz); | 1578 | junk_free(pool->malloc_junk, p, sz); |
| @@ -1574,8 +1588,10 @@ ofree(struct dir_info **argpool, void *p, int clear, int check, size_t argsz) | |||
| 1574 | if (r == NULL) | 1588 | if (r == NULL) |
| 1575 | wrterror(pool, | 1589 | wrterror(pool, |
| 1576 | "bogus pointer (double free?) %p", p); | 1590 | "bogus pointer (double free?) %p", p); |
| 1577 | REALSIZE(sz, r); | 1591 | if (!mopts.malloc_freecheck) { |
| 1578 | validate_junk(pool, p, sz); | 1592 | REALSIZE(sz, r); |
| 1593 | validate_junk(pool, p, sz); | ||
| 1594 | } | ||
| 1579 | free_bytes(pool, r, p); | 1595 | free_bytes(pool, r, p); |
| 1580 | } | 1596 | } |
| 1581 | } | 1597 | } |