diff options
Diffstat (limited to 'src/lib/libc/stdlib/malloc.c')
| -rw-r--r-- | src/lib/libc/stdlib/malloc.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index 2ac4b73ec0..0df1fe3e4a 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: malloc.c,v 1.279 2023/04/01 18:47:51 otto Exp $ */ | 1 | /* $OpenBSD: malloc.c,v 1.280 2023/04/05 06:25:38 otto Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> | 3 | * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net> |
| 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> | 4 | * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org> |
| @@ -221,6 +221,7 @@ struct malloc_readonly { | |||
| 221 | u_int chunk_canaries; /* use canaries after chunks? */ | 221 | u_int chunk_canaries; /* use canaries after chunks? */ |
| 222 | int internal_funcs; /* use better recallocarray/freezero? */ | 222 | int internal_funcs; /* use better recallocarray/freezero? */ |
| 223 | u_int def_maxcache; /* free pages we cache */ | 223 | u_int def_maxcache; /* free pages we cache */ |
| 224 | u_int junk_loc; /* variation in location of junk */ | ||
| 224 | size_t malloc_guard; /* use guard pages after allocations? */ | 225 | size_t malloc_guard; /* use guard pages after allocations? */ |
| 225 | #ifdef MALLOC_STATS | 226 | #ifdef MALLOC_STATS |
| 226 | int malloc_stats; /* dump statistics at end */ | 227 | int malloc_stats; /* dump statistics at end */ |
| @@ -493,6 +494,7 @@ omalloc_init(void) | |||
| 493 | 494 | ||
| 494 | while ((mopts.malloc_canary = arc4random()) == 0) | 495 | while ((mopts.malloc_canary = arc4random()) == 0) |
| 495 | ; | 496 | ; |
| 497 | mopts.junk_loc = arc4random(); | ||
| 496 | if (mopts.chunk_canaries) | 498 | if (mopts.chunk_canaries) |
| 497 | do { | 499 | do { |
| 498 | mopts.chunk_canaries = arc4random(); | 500 | mopts.chunk_canaries = arc4random(); |
| @@ -676,7 +678,9 @@ junk_free(int junk, void *p, size_t sz) | |||
| 676 | if (step == 0) | 678 | if (step == 0) |
| 677 | step = 1; | 679 | step = 1; |
| 678 | } | 680 | } |
| 679 | for (i = 0; i < sz; i += step) | 681 | /* Do not always put the free junk bytes in the same spot. |
| 682 | There is modulo bias here, but we ignore that. */ | ||
| 683 | for (i = mopts.junk_loc % step; i < sz; i += step) | ||
| 680 | lp[i] = SOME_FREEJUNK_ULL; | 684 | lp[i] = SOME_FREEJUNK_ULL; |
| 681 | } | 685 | } |
| 682 | 686 | ||
| @@ -696,7 +700,8 @@ validate_junk(struct dir_info *pool, void *p, size_t sz) | |||
| 696 | if (step == 0) | 700 | if (step == 0) |
| 697 | step = 1; | 701 | step = 1; |
| 698 | } | 702 | } |
| 699 | for (i = 0; i < sz; i += step) { | 703 | /* see junk_free */ |
| 704 | for (i = mopts.junk_loc % step; i < sz; i += step) { | ||
| 700 | if (lp[i] != SOME_FREEJUNK_ULL) | 705 | if (lp[i] != SOME_FREEJUNK_ULL) |
| 701 | wrterror(pool, "write after free %p", p); | 706 | wrterror(pool, "write after free %p", p); |
| 702 | } | 707 | } |