From acf6e4c16993f0fa6153452c6141084e0c84afc3 Mon Sep 17 00:00:00 2001 From: otto <> Date: Fri, 9 Oct 2020 16:01:48 +0000 Subject: As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@. --- src/lib/libc/stdlib/malloc.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c index e979428b23..a62bfac3e5 100644 --- a/src/lib/libc/stdlib/malloc.c +++ b/src/lib/libc/stdlib/malloc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: malloc.c,v 1.264 2020/10/06 06:31:14 otto Exp $ */ +/* $OpenBSD: malloc.c,v 1.265 2020/10/09 16:01:48 otto Exp $ */ /* * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek * Copyright (c) 2012 Matthew Dempsky @@ -193,7 +193,7 @@ struct malloc_readonly { int def_malloc_junk; /* junk fill? */ int malloc_realloc; /* always realloc? */ int malloc_xmalloc; /* xmalloc behaviour? */ - int chunk_canaries; /* use canaries after chunks? */ + u_int chunk_canaries; /* use canaries after chunks? */ int internal_funcs; /* use better recallocarray/freezero? */ u_int def_malloc_cache; /* free pages we cache */ size_t malloc_guard; /* use guard pages after allocations? */ @@ -468,6 +468,11 @@ omalloc_init(void) while ((mopts.malloc_canary = arc4random()) == 0) ; + if (mopts.chunk_canaries) + do { + mopts.chunk_canaries = arc4random(); + } while ((u_char)mopts.chunk_canaries == 0 || + (u_char)mopts.chunk_canaries == SOME_FREEJUNK); } static void @@ -918,7 +923,7 @@ fill_canary(char *ptr, size_t sz, size_t allocated) if (check_sz > CHUNK_CHECK_LENGTH) check_sz = CHUNK_CHECK_LENGTH; - memset(ptr + sz, SOME_JUNK, check_sz); + memset(ptr + sz, mopts.chunk_canaries, check_sz); } /* @@ -1019,7 +1024,7 @@ validate_canary(struct dir_info *d, u_char *ptr, size_t sz, size_t allocated) q = p + check_sz; while (p < q) { - if (*p != SOME_JUNK) { + if (*p != (u_char)mopts.chunk_canaries && *p != SOME_JUNK) { wrterror(d, "chunk canary corrupted %p %#tx@%#zx%s", ptr, p - ptr, sz, *p == SOME_FREEJUNK ? " (double free?)" : ""); -- cgit v1.2.3-55-g6feb