2002-01-29 07:54:51 +00:00
|
|
|
/* Malloc implementation for multiple threads without lock contention.
|
2019-01-01 00:11:28 +00:00
|
|
|
Copyright (C) 2001-2019 Free Software Foundation, Inc.
|
2002-01-29 07:54:51 +00:00
|
|
|
This file is part of the GNU C Library.
|
|
|
|
Contributed by Wolfram Gloger <wg@malloc.de>, 2001.
|
|
|
|
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
2002-08-26 22:40:48 +00:00
|
|
|
modify it under the terms of the GNU Lesser General Public License as
|
|
|
|
published by the Free Software Foundation; either version 2.1 of the
|
2002-01-29 07:54:51 +00:00
|
|
|
License, or (at your option) any later version.
|
|
|
|
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
2002-08-26 22:40:48 +00:00
|
|
|
Lesser General Public License for more details.
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2002-08-26 22:40:48 +00:00
|
|
|
You should have received a copy of the GNU Lesser General Public
|
2012-02-09 23:18:22 +00:00
|
|
|
License along with the GNU C Library; see the file COPYING.LIB. If
|
Prefer https to http for gnu.org and fsf.org URLs
Also, change sources.redhat.com to sourceware.org.
This patch was automatically generated by running the following shell
script, which uses GNU sed, and which avoids modifying files imported
from upstream:
sed -ri '
s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g
s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g
' \
$(find $(git ls-files) -prune -type f \
! -name '*.po' \
! -name 'ChangeLog*' \
! -path COPYING ! -path COPYING.LIB \
! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \
! -path manual/texinfo.tex ! -path scripts/config.guess \
! -path scripts/config.sub ! -path scripts/install-sh \
! -path scripts/mkinstalldirs ! -path scripts/move-if-change \
! -path INSTALL ! -path locale/programs/charmap-kw.h \
! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \
! '(' -name configure \
-execdir test -f configure.ac -o -f configure.in ';' ')' \
! '(' -name preconfigure \
-execdir test -f preconfigure.ac ';' ')' \
-print)
and then by running 'make dist-prepare' to regenerate files built
from the altered files, and then executing the following to cleanup:
chmod a+x sysdeps/unix/sysv/linux/riscv/configure
# Omit irrelevant whitespace and comment-only changes,
# perhaps from a slightly-different Autoconf version.
git checkout -f \
sysdeps/csky/configure \
sysdeps/hppa/configure \
sysdeps/riscv/configure \
sysdeps/unix/sysv/linux/csky/configure
# Omit changes that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines
git checkout -f \
sysdeps/powerpc/powerpc64/ppc-mcount.S \
sysdeps/unix/sysv/linux/s390/s390-64/syscall.S
# Omit change that caused a pre-commit check to fail like this:
# remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline
git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-09-07 05:40:42 +00:00
|
|
|
not, see <https://www.gnu.org/licenses/>. */
|
2002-01-29 07:54:51 +00:00
|
|
|
|
|
|
|
/* What to do if the standard debugging hooks are in place and a
|
|
|
|
corrupt pointer is detected: do nothing (0), print an error message
|
|
|
|
(1), or call abort() (2). */
|
|
|
|
|
|
|
|
/* Hooks for debugging versions. The initial hooks just call the
|
|
|
|
initialization routine, then do the normal work. */
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
|
|
|
malloc_hook_ini (size_t sz, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
__malloc_hook = NULL;
|
2014-01-02 08:38:18 +00:00
|
|
|
ptmalloc_init ();
|
|
|
|
return __libc_malloc (sz);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
|
|
|
realloc_hook_ini (void *ptr, size_t sz, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
__malloc_hook = NULL;
|
|
|
|
__realloc_hook = NULL;
|
2014-01-02 08:38:18 +00:00
|
|
|
ptmalloc_init ();
|
|
|
|
return __libc_realloc (ptr, sz);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
|
|
|
memalign_hook_ini (size_t alignment, size_t sz, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
__memalign_hook = NULL;
|
2014-01-02 08:38:18 +00:00
|
|
|
ptmalloc_init ();
|
|
|
|
return __libc_memalign (alignment, sz);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Whether we are using malloc checking. */
|
|
|
|
static int using_malloc_checking;
|
|
|
|
|
|
|
|
/* Activate a standard set of debugging hooks. */
|
|
|
|
void
|
2013-06-08 00:22:23 +00:00
|
|
|
__malloc_check_init (void)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
using_malloc_checking = 1;
|
|
|
|
__malloc_hook = malloc_check;
|
|
|
|
__free_hook = free_check;
|
|
|
|
__realloc_hook = realloc_check;
|
|
|
|
__memalign_hook = memalign_check;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* A simple, standard set of debugging hooks. Overhead is `only' one
|
|
|
|
byte per chunk; still this will catch most cases of double frees or
|
|
|
|
overruns. The goal here is to avoid obscure crashes due to invalid
|
|
|
|
usage, unlike in the MALLOC_DEBUG code. */
|
|
|
|
|
2015-05-19 19:10:26 +00:00
|
|
|
static unsigned char
|
|
|
|
magicbyte (const void *p)
|
|
|
|
{
|
|
|
|
unsigned char magic;
|
|
|
|
|
|
|
|
magic = (((uintptr_t) p >> 3) ^ ((uintptr_t) p >> 11)) & 0xFF;
|
|
|
|
/* Do not return 1. See the comment in mem2mem_check(). */
|
|
|
|
if (magic == 1)
|
|
|
|
++magic;
|
|
|
|
return magic;
|
|
|
|
}
|
|
|
|
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2015-05-19 19:10:26 +00:00
|
|
|
/* Visualize the chunk as being partitioned into blocks of 255 bytes from the
|
|
|
|
highest address of the chunk, downwards. The end of each block tells
|
|
|
|
us the size of that block, up to the actual size of the requested
|
2014-12-12 00:38:15 +00:00
|
|
|
memory. Our magic byte is right at the end of the requested size, so we
|
|
|
|
must reach it with this iteration, otherwise we have witnessed a memory
|
|
|
|
corruption. */
|
2012-09-05 16:19:00 +00:00
|
|
|
static size_t
|
2014-01-02 08:38:18 +00:00
|
|
|
malloc_check_get_size (mchunkptr p)
|
2012-09-05 16:19:00 +00:00
|
|
|
{
|
2014-12-12 00:38:15 +00:00
|
|
|
size_t size;
|
2012-09-05 16:19:00 +00:00
|
|
|
unsigned char c;
|
2015-05-19 19:10:26 +00:00
|
|
|
unsigned char magic = magicbyte (p);
|
2012-09-05 16:19:00 +00:00
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
assert (using_malloc_checking == 1);
|
2012-09-05 16:19:00 +00:00
|
|
|
|
2014-12-12 00:38:15 +00:00
|
|
|
for (size = chunksize (p) - 1 + (chunk_is_mmapped (p) ? 0 : SIZE_SZ);
|
|
|
|
(c = ((unsigned char *) p)[size]) != magic;
|
2014-01-02 08:38:18 +00:00
|
|
|
size -= c)
|
|
|
|
{
|
2014-12-12 00:38:15 +00:00
|
|
|
if (c <= 0 || size < (c + 2 * SIZE_SZ))
|
2017-08-30 17:29:38 +00:00
|
|
|
malloc_printerr ("malloc_check_get_size: memory corruption");
|
2012-09-05 16:19:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* chunk2mem size. */
|
2014-01-02 08:38:18 +00:00
|
|
|
return size - 2 * SIZE_SZ;
|
2012-09-05 16:19:00 +00:00
|
|
|
}
|
|
|
|
|
2002-01-29 07:54:51 +00:00
|
|
|
/* Instrument a chunk with overrun detector byte(s) and convert it
|
2015-05-19 19:10:26 +00:00
|
|
|
into a user pointer with requested size req_sz. */
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
2015-05-19 19:10:26 +00:00
|
|
|
mem2mem_check (void *ptr, size_t req_sz)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
mchunkptr p;
|
2014-01-02 08:38:18 +00:00
|
|
|
unsigned char *m_ptr = ptr;
|
2015-05-19 19:10:26 +00:00
|
|
|
size_t max_sz, block_sz, i;
|
|
|
|
unsigned char magic;
|
2002-01-29 07:54:51 +00:00
|
|
|
|
|
|
|
if (!ptr)
|
|
|
|
return ptr;
|
2014-01-02 08:38:18 +00:00
|
|
|
|
|
|
|
p = mem2chunk (ptr);
|
2015-05-19 19:10:26 +00:00
|
|
|
magic = magicbyte (p);
|
|
|
|
max_sz = chunksize (p) - 2 * SIZE_SZ;
|
|
|
|
if (!chunk_is_mmapped (p))
|
|
|
|
max_sz += SIZE_SZ;
|
|
|
|
for (i = max_sz - 1; i > req_sz; i -= block_sz)
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
2015-05-19 19:10:26 +00:00
|
|
|
block_sz = MIN (i - req_sz, 0xff);
|
|
|
|
/* Don't allow the magic byte to appear in the chain of length bytes.
|
|
|
|
For the following to work, magicbyte cannot return 0x01. */
|
|
|
|
if (block_sz == magic)
|
|
|
|
--block_sz;
|
|
|
|
|
|
|
|
m_ptr[i] = block_sz;
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
2015-05-19 19:10:26 +00:00
|
|
|
m_ptr[req_sz] = magic;
|
2014-01-02 08:38:18 +00:00
|
|
|
return (void *) m_ptr;
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Convert a pointer to be free()d or realloc()ed to a valid chunk
|
|
|
|
pointer. If the provided pointer is not valid, return NULL. */
|
|
|
|
|
|
|
|
static mchunkptr
|
2014-01-02 08:38:18 +00:00
|
|
|
mem2chunk_check (void *mem, unsigned char **magic_p)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
mchunkptr p;
|
|
|
|
INTERNAL_SIZE_T sz, c;
|
|
|
|
unsigned char magic;
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
if (!aligned_OK (mem))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
p = mem2chunk (mem);
|
2015-05-19 19:10:26 +00:00
|
|
|
sz = chunksize (p);
|
|
|
|
magic = magicbyte (p);
|
2014-01-02 08:38:18 +00:00
|
|
|
if (!chunk_is_mmapped (p))
|
|
|
|
{
|
|
|
|
/* Must be a chunk in conventional heap memory. */
|
|
|
|
int contig = contiguous (&main_arena);
|
|
|
|
if ((contig &&
|
|
|
|
((char *) p < mp_.sbrk_base ||
|
|
|
|
((char *) p + sz) >= (mp_.sbrk_base + main_arena.system_mem))) ||
|
|
|
|
sz < MINSIZE || sz & MALLOC_ALIGN_MASK || !inuse (p) ||
|
2016-10-28 14:26:57 +00:00
|
|
|
(!prev_inuse (p) && ((prev_size (p) & MALLOC_ALIGN_MASK) != 0 ||
|
2014-01-02 08:38:18 +00:00
|
|
|
(contig && (char *) prev_chunk (p) < mp_.sbrk_base) ||
|
|
|
|
next_chunk (prev_chunk (p)) != p)))
|
|
|
|
return NULL;
|
|
|
|
|
2014-12-12 00:38:15 +00:00
|
|
|
for (sz += SIZE_SZ - 1; (c = ((unsigned char *) p)[sz]) != magic; sz -= c)
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
2015-05-19 19:10:26 +00:00
|
|
|
if (c == 0 || sz < (c + 2 * SIZE_SZ))
|
2014-12-12 00:38:15 +00:00
|
|
|
return NULL;
|
2014-01-02 08:38:18 +00:00
|
|
|
}
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
2014-01-02 08:38:18 +00:00
|
|
|
else
|
|
|
|
{
|
|
|
|
unsigned long offset, page_mask = GLRO (dl_pagesize) - 1;
|
|
|
|
|
|
|
|
/* mmap()ed chunks have MALLOC_ALIGNMENT or higher power-of-two
|
|
|
|
alignment relative to the beginning of a page. Check this
|
|
|
|
first. */
|
|
|
|
offset = (unsigned long) mem & page_mask;
|
|
|
|
if ((offset != MALLOC_ALIGNMENT && offset != 0 && offset != 0x10 &&
|
|
|
|
offset != 0x20 && offset != 0x40 && offset != 0x80 && offset != 0x100 &&
|
|
|
|
offset != 0x200 && offset != 0x400 && offset != 0x800 && offset != 0x1000 &&
|
|
|
|
offset < 0x2000) ||
|
2016-10-28 14:26:57 +00:00
|
|
|
!chunk_is_mmapped (p) || prev_inuse (p) ||
|
|
|
|
((((unsigned long) p - prev_size (p)) & page_mask) != 0) ||
|
|
|
|
((prev_size (p) + sz) & page_mask) != 0)
|
2014-01-02 08:38:18 +00:00
|
|
|
return NULL;
|
|
|
|
|
2014-12-12 00:38:15 +00:00
|
|
|
for (sz -= 1; (c = ((unsigned char *) p)[sz]) != magic; sz -= c)
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
2015-05-19 19:10:26 +00:00
|
|
|
if (c == 0 || sz < (c + 2 * SIZE_SZ))
|
2014-12-12 00:38:15 +00:00
|
|
|
return NULL;
|
2014-01-02 08:38:18 +00:00
|
|
|
}
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
2014-01-02 08:38:18 +00:00
|
|
|
((unsigned char *) p)[sz] ^= 0xFF;
|
2005-04-27 01:39:11 +00:00
|
|
|
if (magic_p)
|
2014-01-02 08:38:18 +00:00
|
|
|
*magic_p = (unsigned char *) p + sz;
|
2002-01-29 07:54:51 +00:00
|
|
|
return p;
|
|
|
|
}
|
|
|
|
|
2017-08-30 17:29:38 +00:00
|
|
|
/* Check for corruption of the top chunk. */
|
2017-08-31 10:02:59 +00:00
|
|
|
static void
|
2014-01-02 08:38:18 +00:00
|
|
|
top_check (void)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
2014-01-02 08:38:18 +00:00
|
|
|
mchunkptr t = top (&main_arena);
|
|
|
|
|
|
|
|
if (t == initial_top (&main_arena) ||
|
|
|
|
(!chunk_is_mmapped (t) &&
|
|
|
|
chunksize (t) >= MINSIZE &&
|
|
|
|
prev_inuse (t) &&
|
|
|
|
(!contiguous (&main_arena) ||
|
|
|
|
(char *) t + chunksize (t) == mp_.sbrk_base + main_arena.system_mem)))
|
2017-08-31 10:02:59 +00:00
|
|
|
return;
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2017-08-30 17:29:38 +00:00
|
|
|
malloc_printerr ("malloc: top chunk is corrupt");
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
|
|
|
malloc_check (size_t sz, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
2011-09-10 22:10:17 +00:00
|
|
|
void *victim;
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
size_t nb;
|
2002-01-29 07:54:51 +00:00
|
|
|
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
if (__builtin_add_overflow (sz, 1, &nb))
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
|
|
|
__set_errno (ENOMEM);
|
|
|
|
return NULL;
|
|
|
|
}
|
2005-04-27 01:39:11 +00:00
|
|
|
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_lock (main_arena.mutex);
|
2017-08-31 10:02:59 +00:00
|
|
|
top_check ();
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
victim = _int_malloc (&main_arena, nb);
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_unlock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
return mem2mem_check (victim, sz);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2014-01-02 08:38:18 +00:00
|
|
|
free_check (void *mem, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
|
|
|
mchunkptr p;
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
if (!mem)
|
2002-01-29 07:54:51 +00:00
|
|
|
return;
|
2014-01-02 08:38:18 +00:00
|
|
|
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_lock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
p = mem2chunk_check (mem, NULL);
|
|
|
|
if (!p)
|
2017-08-30 17:29:38 +00:00
|
|
|
malloc_printerr ("free(): invalid pointer");
|
2014-01-02 08:38:18 +00:00
|
|
|
if (chunk_is_mmapped (p))
|
|
|
|
{
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_unlock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
munmap_chunk (p);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
_int_free (&main_arena, p, 1);
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_unlock (main_arena.mutex);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
|
|
|
realloc_check (void *oldmem, size_t bytes, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
2009-02-07 22:01:49 +00:00
|
|
|
INTERNAL_SIZE_T nb;
|
2014-01-02 08:38:18 +00:00
|
|
|
void *newmem = 0;
|
2005-04-27 01:39:11 +00:00
|
|
|
unsigned char *magic_p;
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
size_t rb;
|
2002-01-29 07:54:51 +00:00
|
|
|
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
if (__builtin_add_overflow (bytes, 1, &rb))
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
|
|
|
__set_errno (ENOMEM);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
if (oldmem == 0)
|
|
|
|
return malloc_check (bytes, NULL);
|
|
|
|
|
|
|
|
if (bytes == 0)
|
|
|
|
{
|
|
|
|
free_check (oldmem, NULL);
|
|
|
|
return NULL;
|
|
|
|
}
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_lock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
const mchunkptr oldp = mem2chunk_check (oldmem, &magic_p);
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_unlock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
if (!oldp)
|
2017-08-30 17:29:38 +00:00
|
|
|
malloc_printerr ("realloc(): invalid pointer");
|
2014-01-02 08:38:18 +00:00
|
|
|
const INTERNAL_SIZE_T oldsize = chunksize (oldp);
|
|
|
|
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
if (!checked_request2size (rb, &nb))
|
|
|
|
goto invert;
|
|
|
|
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_lock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
|
|
|
|
if (chunk_is_mmapped (oldp))
|
|
|
|
{
|
2002-01-29 07:54:51 +00:00
|
|
|
#if HAVE_MREMAP
|
2014-01-02 08:38:18 +00:00
|
|
|
mchunkptr newp = mremap_chunk (oldp, nb);
|
|
|
|
if (newp)
|
|
|
|
newmem = chunk2mem (newp);
|
|
|
|
else
|
2002-01-29 07:54:51 +00:00
|
|
|
#endif
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
|
|
|
/* Note the extra SIZE_SZ overhead. */
|
|
|
|
if (oldsize - SIZE_SZ >= nb)
|
|
|
|
newmem = oldmem; /* do nothing */
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* Must alloc, copy, free. */
|
2017-08-31 10:02:59 +00:00
|
|
|
top_check ();
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
newmem = _int_malloc (&main_arena, rb);
|
2014-01-02 08:38:18 +00:00
|
|
|
if (newmem)
|
|
|
|
{
|
|
|
|
memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ);
|
|
|
|
munmap_chunk (oldp);
|
|
|
|
}
|
|
|
|
}
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
}
|
2014-01-02 08:38:18 +00:00
|
|
|
else
|
|
|
|
{
|
2017-08-31 10:02:59 +00:00
|
|
|
top_check ();
|
|
|
|
newmem = _int_realloc (&main_arena, oldp, oldsize, nb);
|
2009-02-07 22:49:34 +00:00
|
|
|
}
|
2005-04-27 01:39:11 +00:00
|
|
|
|
2017-10-15 15:16:26 +00:00
|
|
|
DIAG_PUSH_NEEDS_COMMENT;
|
|
|
|
#if __GNUC_PREREQ (7, 0)
|
|
|
|
/* GCC 7 warns about magic_p may be used uninitialized. But we never
|
|
|
|
reach here if magic_p is uninitialized. */
|
|
|
|
DIAG_IGNORE_NEEDS_COMMENT (7, "-Wmaybe-uninitialized");
|
|
|
|
#endif
|
2005-04-27 01:39:11 +00:00
|
|
|
/* mem2chunk_check changed the magic byte in the old chunk.
|
|
|
|
If newmem is NULL, then the old chunk will still be used though,
|
|
|
|
so we need to invert that change here. */
|
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).
This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.
From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).
The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.
The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.
Checked on x86_64-linux-gnu and i686-linux-gnu.
[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
[BZ #23741]
* malloc/hooks.c (malloc_check, realloc_check): Use
__builtin_add_overflow on overflow check and adapt to
checked_request2size change.
* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
allocation size to PTRDIFF_MAX.
(REQUEST_OUT_OF_RANGE): Remove macro.
(checked_request2size): Change to inline function and limit maximum
requested size to PTRDIFF_MAX.
(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
maximum allocation size to PTRDIFF_MAX.
(_mid_memalign): Use _int_memalign call for overflow check.
(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
(__libc_calloc): Use __builtin_mul_overflow for overflow check and
limit maximum requested size to PTRDIFF_MAX.
* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
valloc, pvalloc): Add __attribute_alloc_size__.
* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
larger than PTRDIFF_MAX.
* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
around tests of malloc with negative sizes.
* malloc/tst-posix_memalign.c (do_test): Likewise.
* malloc/tst-pvalloc.c (do_test): Likewise.
* malloc/tst-valloc.c (do_test): Likewise.
* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
with resulting size allocation larger than PTRDIFF_MAX with
reallocarray_nowarn.
(reallocarray_nowarn): New function.
* NEWS: Mention the malloc function semantic change.
2018-12-18 18:30:56 +00:00
|
|
|
invert:
|
2014-01-02 08:38:18 +00:00
|
|
|
if (newmem == NULL)
|
|
|
|
*magic_p ^= 0xFF;
|
2017-10-15 15:16:26 +00:00
|
|
|
DIAG_POP_NEEDS_COMMENT;
|
2005-04-27 01:39:11 +00:00
|
|
|
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_unlock (main_arena.mutex);
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
return mem2mem_check (newmem, bytes);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
static void *
|
|
|
|
memalign_check (size_t alignment, size_t bytes, const void *caller)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
2014-01-02 08:38:18 +00:00
|
|
|
void *mem;
|
|
|
|
|
|
|
|
if (alignment <= MALLOC_ALIGNMENT)
|
|
|
|
return malloc_check (bytes, NULL);
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
if (alignment < MINSIZE)
|
|
|
|
alignment = MINSIZE;
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2013-10-10 12:17:13 +00:00
|
|
|
/* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
|
|
|
|
power of 2 and will cause overflow in the check below. */
|
|
|
|
if (alignment > SIZE_MAX / 2 + 1)
|
|
|
|
{
|
|
|
|
__set_errno (EINVAL);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-10-09 13:41:57 +00:00
|
|
|
/* Check for overflow. */
|
|
|
|
if (bytes > SIZE_MAX - alignment - MINSIZE)
|
|
|
|
{
|
|
|
|
__set_errno (ENOMEM);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-11-20 14:46:02 +00:00
|
|
|
/* Make sure alignment is power of 2. */
|
2014-01-02 08:38:18 +00:00
|
|
|
if (!powerof2 (alignment))
|
|
|
|
{
|
|
|
|
size_t a = MALLOC_ALIGNMENT * 2;
|
|
|
|
while (a < alignment)
|
|
|
|
a <<= 1;
|
|
|
|
alignment = a;
|
|
|
|
}
|
|
|
|
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_lock (main_arena.mutex);
|
2017-08-31 10:02:59 +00:00
|
|
|
top_check ();
|
|
|
|
mem = _int_memalign (&main_arena, alignment, bytes + 1);
|
2016-09-06 10:49:54 +00:00
|
|
|
__libc_lock_unlock (main_arena.mutex);
|
2014-01-02 08:38:18 +00:00
|
|
|
return mem2mem_check (mem, bytes);
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
|
|
|
|
2016-10-26 11:28:28 +00:00
|
|
|
#if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_25)
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2018-06-29 12:54:59 +00:00
|
|
|
/* Support for restoring dumped heaps contained in historic Emacs
|
|
|
|
executables. The heap saving feature (malloc_get_state) is no
|
|
|
|
longer implemented in this version of glibc, but we have a heap
|
|
|
|
rewriter in malloc_set_state which transforms the heap into a
|
|
|
|
version compatible with current malloc. */
|
2002-01-29 07:54:51 +00:00
|
|
|
|
|
|
|
#define MALLOC_STATE_MAGIC 0x444c4541l
|
2016-05-24 06:05:15 +00:00
|
|
|
#define MALLOC_STATE_VERSION (0 * 0x100l + 5l) /* major*0x100 + minor */
|
2014-01-02 08:38:18 +00:00
|
|
|
|
|
|
|
struct malloc_save_state
|
|
|
|
{
|
|
|
|
long magic;
|
|
|
|
long version;
|
|
|
|
mbinptr av[NBINS * 2 + 2];
|
|
|
|
char *sbrk_base;
|
|
|
|
int sbrked_mem_bytes;
|
2002-01-29 07:54:51 +00:00
|
|
|
unsigned long trim_threshold;
|
|
|
|
unsigned long top_pad;
|
2014-01-02 08:38:18 +00:00
|
|
|
unsigned int n_mmaps_max;
|
2002-01-29 07:54:51 +00:00
|
|
|
unsigned long mmap_threshold;
|
2014-01-02 08:38:18 +00:00
|
|
|
int check_action;
|
2002-01-29 07:54:51 +00:00
|
|
|
unsigned long max_sbrked_mem;
|
2016-02-19 16:07:04 +00:00
|
|
|
unsigned long max_total_mem; /* Always 0, for backwards compatibility. */
|
2014-01-02 08:38:18 +00:00
|
|
|
unsigned int n_mmaps;
|
|
|
|
unsigned int max_n_mmaps;
|
2002-01-29 07:54:51 +00:00
|
|
|
unsigned long mmapped_mem;
|
|
|
|
unsigned long max_mmapped_mem;
|
2014-01-02 08:38:18 +00:00
|
|
|
int using_malloc_checking;
|
2009-04-08 18:00:34 +00:00
|
|
|
unsigned long max_fast;
|
|
|
|
unsigned long arena_test;
|
|
|
|
unsigned long arena_max;
|
|
|
|
unsigned long narenas;
|
2002-01-29 07:54:51 +00:00
|
|
|
};
|
|
|
|
|
2016-10-26 11:28:28 +00:00
|
|
|
/* Dummy implementation which always fails. We need to provide this
|
|
|
|
symbol so that existing Emacs binaries continue to work with
|
|
|
|
BIND_NOW. */
|
2014-01-02 08:38:18 +00:00
|
|
|
void *
|
2016-10-26 11:28:28 +00:00
|
|
|
attribute_compat_text_section
|
|
|
|
malloc_get_state (void)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
2016-10-26 11:28:28 +00:00
|
|
|
__set_errno (ENOSYS);
|
|
|
|
return NULL;
|
2002-01-29 07:54:51 +00:00
|
|
|
}
|
2016-10-26 11:28:28 +00:00
|
|
|
compat_symbol (libc, malloc_get_state, malloc_get_state, GLIBC_2_0);
|
2002-01-29 07:54:51 +00:00
|
|
|
|
|
|
|
int
|
2016-10-26 11:28:28 +00:00
|
|
|
attribute_compat_text_section
|
|
|
|
malloc_set_state (void *msptr)
|
2002-01-29 07:54:51 +00:00
|
|
|
{
|
2014-01-02 08:38:18 +00:00
|
|
|
struct malloc_save_state *ms = (struct malloc_save_state *) msptr;
|
2002-01-29 07:54:51 +00:00
|
|
|
|
2014-01-02 08:38:18 +00:00
|
|
|
if (ms->magic != MALLOC_STATE_MAGIC)
|
|
|
|
return -1;
|
|
|
|
|
2002-01-29 07:54:51 +00:00
|
|
|
/* Must fail if the major version is too high. */
|
2014-01-02 08:38:18 +00:00
|
|
|
if ((ms->version & ~0xffl) > (MALLOC_STATE_VERSION & ~0xffl))
|
|
|
|
return -2;
|
|
|
|
|
2018-06-29 12:54:59 +00:00
|
|
|
/* We do not need to perform locking here because malloc_set_state
|
2016-05-13 12:16:39 +00:00
|
|
|
must be called before the first call into the malloc subsytem
|
|
|
|
(usually via __malloc_initialize_hook). pthread_create always
|
|
|
|
calls calloc and thus must be called only afterwards, so there
|
|
|
|
cannot be more than one thread when we reach this point. */
|
|
|
|
|
|
|
|
/* Disable the malloc hooks (and malloc checking). */
|
|
|
|
__malloc_hook = NULL;
|
|
|
|
__realloc_hook = NULL;
|
|
|
|
__free_hook = NULL;
|
|
|
|
__memalign_hook = NULL;
|
|
|
|
using_malloc_checking = 0;
|
|
|
|
|
|
|
|
/* Patch the dumped heap. We no longer try to integrate into the
|
|
|
|
existing heap. Instead, we mark the existing chunks as mmapped.
|
|
|
|
Together with the update to dumped_main_arena_start and
|
|
|
|
dumped_main_arena_end, realloc and free will recognize these
|
|
|
|
chunks as dumped fake mmapped chunks and never free them. */
|
|
|
|
|
|
|
|
/* Find the chunk with the lowest address with the heap. */
|
|
|
|
mchunkptr chunk = NULL;
|
|
|
|
{
|
|
|
|
size_t *candidate = (size_t *) ms->sbrk_base;
|
|
|
|
size_t *end = (size_t *) (ms->sbrk_base + ms->sbrked_mem_bytes);
|
|
|
|
while (candidate < end)
|
|
|
|
if (*candidate != 0)
|
|
|
|
{
|
|
|
|
chunk = mem2chunk ((void *) (candidate + 1));
|
|
|
|
break;
|
|
|
|
}
|
2014-01-02 08:38:18 +00:00
|
|
|
else
|
2016-05-13 12:16:39 +00:00
|
|
|
++candidate;
|
|
|
|
}
|
|
|
|
if (chunk == NULL)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* Iterate over the dumped heap and patch the chunks so that they
|
|
|
|
are treated as fake mmapped chunks. */
|
|
|
|
mchunkptr top = ms->av[2];
|
|
|
|
while (chunk < top)
|
2014-01-02 08:38:18 +00:00
|
|
|
{
|
2016-05-13 12:16:39 +00:00
|
|
|
if (inuse (chunk))
|
|
|
|
{
|
|
|
|
/* Mark chunk as mmapped, to trigger the fallback path. */
|
|
|
|
size_t size = chunksize (chunk);
|
|
|
|
set_head (chunk, size | IS_MMAPPED);
|
|
|
|
}
|
|
|
|
chunk = next_chunk (chunk);
|
2014-01-02 08:38:18 +00:00
|
|
|
}
|
|
|
|
|
2016-05-13 12:16:39 +00:00
|
|
|
/* The dumped fake mmapped chunks all lie in this address range. */
|
|
|
|
dumped_main_arena_start = (mchunkptr) ms->sbrk_base;
|
|
|
|
dumped_main_arena_end = top;
|
|
|
|
|
2002-01-29 07:54:51 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2016-10-26 11:28:28 +00:00
|
|
|
compat_symbol (libc, malloc_set_state, malloc_set_state, GLIBC_2_0);
|
|
|
|
|
|
|
|
#endif /* SHLIB_COMPAT */
|
2002-01-29 07:54:51 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Local variables:
|
|
|
|
* c-basic-offset: 2
|
|
|
|
* End:
|
|
|
|
*/
|