More thorough write-afetr-free checks.

On free, chunks (the pieces of a pages used for smaller allocations) are junked and then validated after they leave the delayed free list. So after free, a chunk always contains junk bytes. This means that if we start with the right contents for a new page of chunks, we can *validate* instead of *write* junk bytes when (re)-using a chunk. With this, we can detect write-after-free when a chunk is recycled, not justy when a chunk is in the delayed free list. We do a little bit more work on initial allocation of a page of chunks and when re-using (as we validate now even on junk level 1). Also: some extra consistency checks for recallocaray(3) and fixes in error messages to make them more consistent, with man page bits. Plus regress additions.
author: otto <> 2023-06-04 06:58:33 +0000
committer: otto <> 2023-06-04 06:58:33 +0000
commit: 2a8b47d0250685d7abc14fa96be74d04d0b8c8ec (patch)
tree: 658d7037f67b98a6598726569c6933ca718927f6 /src/regress/lib/libc
parent: 7819892ebb6ce6589ed0a5ef4e5079e4219f9df2 (diff)
download: openbsd-2a8b47d0250685d7abc14fa96be74d04d0b8c8ec.tar.gz
openbsd-2a8b47d0250685d7abc14fa96be74d04d0b8c8ec.tar.bz2
openbsd-2a8b47d0250685d7abc14fa96be74d04d0b8c8ec.zip
1 files changed, 21 insertions, 6 deletions
diff --git a/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c b/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
index e0efb6ebf3..6040590a65 100644
--- a/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
+++ b/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc_errs.c,v 1.2 2023/05/09 19:07:37 otto Exp $    */
+/*      $OpenBSD: malloc_errs.c,v 1.3 2023/06/04 06:58:33 otto Exp $    */
 /*
 * Copyright (c) 2023 Otto Moerbeek <otto@drijf.net>
 *
@@ -138,9 +138,7 @@ t8(void)
 void
 t9(void)
 {
-        char *p;
+        char *p = malloc(100);
-        p = malloc(100);
        p[100] = 0;
        free(p);
 }
@@ -191,7 +189,6 @@ t15(void)
 void
 t16(void)
 {
-        abort(); /* not yet */
        char *p = recallocarray(NULL, 0, 16, 1);
        char *q = recallocarray(p, 2, 3, 16);
 }
@@ -208,11 +205,27 @@ t17(void)
 void
 t18(void)
 {
-        abort(); /* not yet */
        char *p = recallocarray(NULL, 0, 1, getpagesize());
        char *q = recallocarray(p, 2, 3, getpagesize());
 }
+/* recallocarray with wrong size, pages */
+void
+t19(void)
+{
+        char *p = recallocarray(NULL, 0, 1, 10 * getpagesize());
+        char *q = recallocarray(p, 1, 2, 4 * getpagesize());
+}
+/* canary check pages */
+void
+t20(void)
+{
+        char *p = malloc(2*getpagesize() - 100);
+        p[2*getpagesize() - 100] = 0;
+        free(p);
+}
 struct test {
        void (*test)(void);
        const char *flags;
@@ -238,6 +251,8 @@ struct test tests[] = {
        { t16, "" },
        { t17, "C" },
        { t18, "" },
+        { t19, "" },
+        { t20, "C" },
 };
 int main(int argc, char *argv[])
author	otto <>	2023-06-04 06:58:33 +0000
committer	otto <>	2023-06-04 06:58:33 +0000
commit	2a8b47d0250685d7abc14fa96be74d04d0b8c8ec (patch)
tree	658d7037f67b98a6598726569c6933ca718927f6 /src/regress/lib/libc
parent	7819892ebb6ce6589ed0a5ef4e5079e4219f9df2 (diff)
download	openbsd-2a8b47d0250685d7abc14fa96be74d04d0b8c8ec.tar.gz openbsd-2a8b47d0250685d7abc14fa96be74d04d0b8c8ec.tar.bz2 openbsd-2a8b47d0250685d7abc14fa96be74d04d0b8c8ec.zip