diff options
| author | otto <> | 2023-04-01 18:47:51 +0000 |
|---|---|---|
| committer | otto <> | 2023-04-01 18:47:51 +0000 |
| commit | 6e9920658516f0535b43d91e732e6b64d132cb84 (patch) | |
| tree | a23931f52eaf7be0023b8e426ad5ffe04a37b225 /src/lib/libc/stdlib/malloc.c | |
| parent | e913af3a94730134846c454a68ebbd9f40ef20b9 (diff) | |
| download | openbsd-6e9920658516f0535b43d91e732e6b64d132cb84.tar.gz openbsd-6e9920658516f0535b43d91e732e6b64d132cb84.tar.bz2 openbsd-6e9920658516f0535b43d91e732e6b64d132cb84.zip | |
Check all chunks in the delayed free list for write-after-free.
Should catch more of them and closer (in time) to the WAF. ok tb@
Diffstat (limited to 'src/lib/libc/stdlib/malloc.c')
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index c049b2da54..2ac4b73ec0 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: malloc.c,v 1.278 2023/03/25 15:22:06 otto Exp $ */ | 1 | /* $OpenBSD: malloc.c,v 1.279 2023/04/01 18:47:51 otto Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> | 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> |
| 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> | 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> |
| @@ -1554,11 +1554,25 @@ ofree(struct dir_info **argpool, void *p, int clear, int check, size_t argsz) | |||
| 1554 | find_chunknum(pool, info, p, mopts.chunk_canaries); | 1554 | find_chunknum(pool, info, p, mopts.chunk_canaries); |
| 1555 | 1555 | ||
| 1556 | if (mopts.malloc_freecheck) { | 1556 | if (mopts.malloc_freecheck) { |
| 1557 | for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++) | 1557 | for (i = 0; i <= MALLOC_DELAYED_CHUNK_MASK; i++) { |
| 1558 | if (p == pool->delayed_chunks[i]) | 1558 | tmp = pool->delayed_chunks[i]; |
| 1559 | if (tmp == p) | ||
| 1559 | wrterror(pool, | 1560 | wrterror(pool, |
| 1560 | "double free %p", p); | 1561 | "double free %p", p); |
| 1562 | if (tmp != NULL) { | ||
| 1563 | size_t tmpsz; | ||
| 1564 | |||
| 1565 | r = find(pool, tmp); | ||
| 1566 | if (r == NULL) | ||
| 1567 | wrterror(pool, | ||
| 1568 | "bogus pointer (" | ||
| 1569 | "double free?) %p", tmp); | ||
| 1570 | REALSIZE(tmpsz, r); | ||
| 1571 | validate_junk(pool, tmp, tmpsz); | ||
| 1572 | } | ||
| 1573 | } | ||
| 1561 | } | 1574 | } |
| 1575 | |||
| 1562 | if (clear && argsz > 0) | 1576 | if (clear && argsz > 0) |
| 1563 | explicit_bzero(p, argsz); | 1577 | explicit_bzero(p, argsz); |
| 1564 | junk_free(pool->malloc_junk, p, sz); | 1578 | junk_free(pool->malloc_junk, p, sz); |
| @@ -1574,8 +1588,10 @@ ofree(struct dir_info **argpool, void *p, int clear, int check, size_t argsz) | |||
| 1574 | if (r == NULL) | 1588 | if (r == NULL) |
| 1575 | wrterror(pool, | 1589 | wrterror(pool, |
| 1576 | "bogus pointer (double free?) %p", p); | 1590 | "bogus pointer (double free?) %p", p); |
| 1577 | REALSIZE(sz, r); | 1591 | if (!mopts.malloc_freecheck) { |
| 1578 | validate_junk(pool, p, sz); | 1592 | REALSIZE(sz, r); |
| 1593 | validate_junk(pool, p, sz); | ||
| 1594 | } | ||
| 1579 | free_bytes(pool, r, p); | 1595 | free_bytes(pool, r, p); |
| 1580 | } | 1596 | } |
| 1581 | } | 1597 | } |