Commit Graph

75 Commits

Author SHA1 Message Date
Adhemerval Zanella
9bf8e29ca1 malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea
and add both the __attribute_alloc_size__ on malloc functions (malloc,
calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
maximum requested allocation size to up PTRDIFF_MAX (taking into
consideration internal padding and alignment).

This aligns glibc with gcc expected size defined by default warning
-Walloc-size-larger-than value which warns for allocation larger than
PTRDIFF_MAX.  It also aligns with gcc expectation regarding libc and
expected size, such as described in PR#67999 [2] and previously discussed
ISO C11 issues [3] on libc-alpha.

From the RFC thread [4] and previous discussion, it seems that consensus
is only to limit such requested size for malloc functions, not the system
allocation one (mmap, sbrk, etc.).

The implementation changes checked_request2size to check for both overflow
and maximum object size up to PTRDIFF_MAX. No additional checks are done
on sysmalloc, so it can still issue mmap with values larger than
PTRDIFF_T depending on the requested size.

The __attribute_alloc_size__ is for functions that return a pointer only,
which means it cannot be applied to posix_memalign (see remarks in GCC
PR#87683 [5]). The runtimes checks to limit maximum requested allocation
size does applies to posix_memalign.

Checked on x86_64-linux-gnu and i686-linux-gnu.

[1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
[2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
[3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
[4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
[5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683

	[BZ #23741]
	* malloc/hooks.c (malloc_check, realloc_check): Use
	__builtin_add_overflow on overflow check and adapt to
	checked_request2size change.
	* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
	__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
	allocation size to PTRDIFF_MAX.
	(REQUEST_OUT_OF_RANGE): Remove macro.
	(checked_request2size): Change to inline function and limit maximum
	requested size to PTRDIFF_MAX.
	(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
	maximum allocation size to PTRDIFF_MAX.
	(_mid_memalign): Use _int_memalign call for overflow check.
	(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
	(__libc_calloc): Use __builtin_mul_overflow for overflow check and
	limit maximum requested size to PTRDIFF_MAX.
	* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
	valloc, pvalloc): Add __attribute_alloc_size__.
	* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
	* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
	larger than PTRDIFF_MAX.
	* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
	around tests of malloc with negative sizes.
	* malloc/tst-posix_memalign.c (do_test): Likewise.
	* malloc/tst-pvalloc.c (do_test): Likewise.
	* malloc/tst-valloc.c (do_test): Likewise.
	* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
	with resulting size allocation larger than PTRDIFF_MAX with
	reallocarray_nowarn.
	(reallocarray_nowarn): New function.
	* NEWS: Mention the malloc function semantic change.
2019-04-18 17:30:06 -03:00
Joseph Myers
04277e02d7 Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2019-01-01 00:11:28 +00:00
Florian Weimer
524d796d5f malloc: Update heap dumping/undumping comments [BZ #23351]
Also remove a few now-unused declarations and definitions.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
2018-06-29 14:55:15 +02:00
Joseph Myers
688903eb3e Update copyright dates with scripts/update-copyrights.
* All files with FSF copyright notices: Update copyright dates
	using scripts/update-copyrights.
	* locale/programs/charmap-kw.h: Regenerated.
	* locale/programs/locfile-kw.h: Likewise.
2018-01-01 00:32:25 +00:00
H.J. Lu
8e57c9432a Silence -O3 -Wall warning in malloc/hooks.c with GCC 7 [BZ #22052]
realloc_check has

  unsigned char *magic_p;
...
  __libc_lock_lock (main_arena.mutex);
  const mchunkptr oldp = mem2chunk_check (oldmem, &magic_p);
  __libc_lock_unlock (main_arena.mutex);
  if (!oldp)
    malloc_printerr ("realloc(): invalid pointer");
...
  if (newmem == NULL)
    *magic_p ^= 0xFF;

with

static void malloc_printerr(const char *str) __attribute__ ((noreturn));

GCC 7 -O3 warns

hooks.c: In function ‘realloc_check’:
hooks.c:352:14: error: ‘magic_p’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
     *magic_p ^= 0xFF;

due to the GCC bug:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82090

This patch silences GCC 7 by using DIAG_IGNORE_NEEDS_COMMENT.

	[BZ #22052]
	* malloc/hooks.c (realloc_check): Use DIAG_IGNORE_NEEDS_COMMENT
	to silence -O3 -Wall warning with GCC 7.
2017-10-15 08:16:37 -07:00
Florian Weimer
0c71122c0c malloc: Remove the internal_function attribute 2017-08-31 15:59:06 +02:00
Florian Weimer
5129873a8e malloc: Change top_check return type to void
After commit ec2c1fcefb,
(malloc: Abort on heap corruption, without a backtrace), the function
always returns 0.
2017-08-31 14:16:52 +02:00
Florian Weimer
ac3ed168d0 malloc: Remove check_action variable [BZ #21754]
Clean up calls to malloc_printerr and trim its argument list.

This also removes a few bits of work done before calling
malloc_printerr (such as unlocking operations).

The tunable/environment variable still enables the lightweight
additional malloc checking, but mallopt (M_CHECK_ACTION)
no longer has any effect.
2017-08-30 20:08:34 +02:00
Joseph Myers
bfff8b1bec Update copyright dates with scripts/update-copyrights. 2017-01-01 00:14:16 +00:00
Florian Weimer
e9c4fe93b3 malloc: Use accessors for chunk metadata access
This change allows us to change the encoding of these struct members
in a centralized fashion.
2016-10-28 16:45:45 +02:00
Florian Weimer
e863cce57b malloc: Remove malloc_get_state, malloc_set_state [BZ #19473]
After the removal of __malloc_initialize_hook, newly compiled
Emacs binaries are no longer able to use these interfaces.
malloc_get_state is only used during the Emacs build process,
so we provide a stub implementation only.  Existing Emacs binaries
will not call this stub function, but still reference the symbol.

The rewritten tst-mallocstate test constructs a dumped heap
which should approximates what existing Emacs binaries pass
to glibc malloc.
2016-10-26 13:28:28 +02:00
Florian Weimer
4bf5f2224b malloc: Automated part of conversion to __libc_lock 2016-09-06 12:49:54 +02:00
Florian Weimer
dea39b13e2 malloc: Correct malloc alignment on 32-bit architectures [BZ #6527]
After the heap rewriting added in commit
4cf6c72fd2 (malloc: Rewrite dumped heap
for compatibility in __malloc_set_state), we can change malloc alignment
for new allocations because the alignment of old allocations no longer
matters.

We need to increase the malloc state version number, so that binaries
containing dumped heaps of the new layout will not try to run on
previous versions of glibc, resulting in obscure crashes.

This commit addresses a failure of tst-malloc-thread-fail on the
affected architectures (32-bit ppc and mips) because the test checks
pointer alignment.
2016-05-24 08:05:15 +02:00
Florian Weimer
4cf6c72fd2 malloc: Rewrite dumped heap for compatibility in __malloc_set_state
This will allow us to change many aspects of the malloc implementation
while preserving compatibility with existing Emacs binaries.

As a result, existing Emacs binaries will have a larger RSS, and Emacs
needs a few more milliseconds to start.  This overhead is specific
to Emacs (and will go away once Emacs switches to its internal malloc).

The new checks to make free and realloc compatible with the dumped heap
are confined to the mmap paths, which are already quite slow due to the
munmap overhead.

This commit weakens some security checks, but only for heap pointers
in the dumped main arena.  By default, this area is empty, so those
checks are as effective as before.
2016-05-13 14:16:39 +02:00
Florian Weimer
ca135f824b malloc: Remove max_total_mem member form struct malloc_par
Also note that sumblks in struct mallinfo is always 0.
No functional change.
2016-02-19 17:07:04 +01:00
Joseph Myers
f7a9f785e5 Update copyright dates with scripts/update-copyrights. 2016-01-04 16:05:18 +00:00
James Lemke
265cbed8e7 Fix for test "malloc_usable_size: expected 7 but got 11"
[BZ #17581] The checking chain of unused chunks was terminated by a hash of
    the block pointer, which was sometimes confused with the chunk length byte.
    We now avoid using a length byte equal to the magic byte.
2015-05-19 12:10:26 -07:00
Siddhesh Poyarekar
fff94fa224 Avoid deadlock in malloc on backtrace (BZ #16159)
When the malloc subsystem detects some kind of memory corruption,
depending on the configuration it prints the error, a backtrace, a
memory map and then aborts the process.  In this process, the
backtrace() call may result in a call to malloc, resulting in
various kinds of problematic behavior.

In one case, the malloc it calls may detect a corruption and call
backtrace again, and a stack overflow may result due to the infinite
recursion.  In another case, the malloc it calls may deadlock on an
arena lock with the malloc (or free, realloc, etc.) that detected the
corruption.  In yet another case, if the program is linked with
pthreads, backtrace may do a pthread_once initialization, which
deadlocks on itself.

In all these cases, the program exit is not as intended.  This is
avoidable by marking the arena that malloc detected a corruption on,
as unusable.  The following patch does that.  Features of this patch
are as follows:

- A flag is added to the mstate struct of the arena to indicate if the
  arena is corrupt.

- The flag is checked whenever malloc functions try to get a lock on
  an arena.  If the arena is unusable, a NULL is returned, causing the
  malloc to use mmap or try the next arena.

- malloc_printerr sets the corrupt flag on the arena when it detects a
  corruption

- free does not concern itself with the flag at all.  It is not
  important since the backtrace workflow does not need free.  A free
  in a parallel thread may cause another corruption, but that's not
  new

- The flag check and set are not atomic and may race.  This is fine
  since we don't care about contention during the flag check.  We want
  to make sure that the malloc call in the backtrace does not trip on
  itself and all that action happens in the same thread and not across
  threads.

I verified that the test case does not show any regressions due to
this patch.  I also ran the malloc benchmarks and found an
insignificant difference in timings (< 2%).

	* malloc/Makefile (tests): New test case tst-malloc-backtrace.
	* malloc/arena.c (arena_lock): Check if arena is corrupt.
	(reused_arena): Find a non-corrupt arena.
	(heap_trim): Pass arena to unlink.
	* malloc/hooks.c (malloc_check_get_size): Pass arena to
	malloc_printerr.
	(top_check): Likewise.
	(free_check): Likewise.
	(realloc_check): Likewise.
	* malloc/malloc.c (malloc_printerr): Add arena argument.
	(unlink): Likewise.
	(munmap_chunk): Adjust.
	(ARENA_CORRUPTION_BIT): New macro.
	(arena_is_corrupt): Likewise.
	(set_arena_corrupt): Likewise.
	(sysmalloc): Use mmap if there are no usable arenas.
	(_int_malloc): Likewise.
	(__libc_malloc): Don't fail if arena_get returns NULL.
	(_mid_memalign): Likewise.
	(__libc_calloc): Likewise.
	(__libc_realloc): Adjust for additional argument to
	malloc_printerr.
	(_int_free): Likewise.
	(malloc_consolidate): Likewise.
	(_int_realloc): Likewise.
	(_int_memalign): Don't touch corrupt arenas.
	* malloc/tst-malloc-backtrace.c: New test case.
2015-05-19 06:40:38 +05:30
Joseph Myers
b168057aaa Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
James Lemke
9173840b4d Fix for test "malloc_usable_size: expected 7 but got 11"
[BZ #17581] Revert this fix while investigating a problem.
2014-12-11 16:48:29 -08:00
James Lemke
08f1e1d2bc Fix for test "malloc_usable_size: expected 7 but got 11"
[BZ #17581] The checking chain of unused chunks was terminated by a hash of
the block pointer, which was sometimes confused with the chunk length byte.
The chain is now terminated by a NULL byte.
2014-12-01 13:05:18 -08:00
Ondřej Bílka
6c8dbf00f5 Reformat malloc to gnu style. 2014-01-02 09:40:10 +01:00
Allan McRae
d4697bc93d Update copyright notices with scripts/update-copyrights 2014-01-01 22:00:23 +10:00
Ondřej Bílka
0dfa665cc1 Expand MALLOC_COPY and MALLOC_ZERO to memcpy and memset. 2013-12-10 19:36:28 +01:00
Ondřej Bílka
5782a80f9f Drop PER_THREAD conditionals from malloc. 2013-12-10 18:00:14 +01:00
Ondřej Bílka
f3eeb3fc56 Replace malloc force_reg by atomic_forced_read. 2013-12-09 17:14:12 +01:00
Ondřej Bílka
10ad46bc65 Consolidate valloc/pvalloc code.
To make malloc code more maintainable we make malloc and pvalloc share
logic with memalign.
2013-11-20 15:46:02 +01:00
Will Newton
a56ee40b17 malloc: Fix for infinite loop in memalign/posix_memalign.
A very large alignment argument passed to mealign/posix_memalign
causes _int_memalign to enter an infinite loop. Limit the maximum
alignment value to the maximum representable power of two to
prevent this from happening.

Changelog:

2013-10-30  Will Newton  <will.newton@linaro.org>

	[BZ #16038]
	* malloc/hooks.c (memalign_check): Limit alignment to the
	maximum representable power of two.
	* malloc/malloc.c (__libc_memalign): Likewise.
	* malloc/tst-memalign.c (do_test): Add test for very
	large alignment values.
	* malloc/tst-posix_memalign.c (do_test): Likewise.
2013-10-30 14:46:02 -07:00
Will Newton
321e268471 malloc/hooks.c: Correct check for overflow in memalign_check.
A large value of bytes passed to memalign_check can cause an integer
overflow in _int_memalign and heap corruption. This issue can be
exposed by running tst-memalign with MALLOC_CHECK_=3.

ChangeLog:

2013-10-10  Will Newton  <will.newton@linaro.org>

	* malloc/hooks.c (memalign_check): Ensure the value of bytes
	passed to _int_memalign does not overflow.
2013-10-10 14:52:05 +01:00
Joseph Myers
60d2f8f3c7 Use (void) in no-arguments function definitions. 2013-06-08 00:22:23 +00:00
Joseph Myers
a222d91a13 Remove __malloc_ptr_t. 2013-03-08 21:27:42 +00:00
Joseph Myers
568035b787 Update copyright notices with scripts/update-copyrights. 2013-01-02 19:05:09 +00:00
Siddhesh Poyarekar
6ef9cc37f0 Return requested size for malloc_usable_size when MALLOC_CHECK_ > 0
[BZ #1349]

malloc_usable_size returns the usable size in an allocated chunk,
which may be >= the requested size. In the case of MALLOC_CHECK_ being
exported to > 0 however, only the requested size is usable, since a
magic value is written at the end of the request size to trap writes
beyond request bounds. Hence, when MALLOC_CHECK_ is exported to > 0,
malloc_usable_size() should return the request size.
2012-09-05 21:49:30 +05:30
Paul Eggert
59ba27a63a Replace FSF snail mail address with URLs. 2012-02-09 23:18:22 +00:00
Ulrich Drepper
3b49edc04b Cleanups of malloc
Remove ugly names and unnecessary wrappers.
2012-01-31 18:49:22 -05:00
Ulrich Drepper
d77e786926 Minor cleanups of malloc code 2012-01-16 12:07:56 -05:00
Ulrich Drepper
8e58439c92 Remove MALLOC_FAILURE_ACTION use in malloc 2011-09-10 22:12:38 -04:00
Ulrich Drepper
02d46fc4b9 Simplify malloc initialization
Singificantly reduce the code needed at malloc initialization.  In
the process getpagesize is simplified by always initializing
GLRO(dl_pagesize).
2011-09-10 21:47:36 -04:00
Ulrich Drepper
22a8918713 Simplify malloc code
Remove all kinds of unused configuration options and dead code.
2011-09-10 18:10:17 -04:00
Ulrich Drepper
d063d16433 Remove support for !USE___THREAD 2011-09-10 16:50:28 -04:00
Ulrich Drepper
8538fdb3ec (memalign_check): No need to use checked_request2size. 2011-07-08 13:20:41 -04:00
Ulrich Drepper
cc49a5a883 Restore locking in free_check.
This code is only used when MALLOC_CHECK_ is used.  Then some bogus
crashes and/or assert could result from the locking changes.  The code
ain't fast.
2009-11-01 07:27:00 -08:00
Ulrich Drepper
acdf23097f (top_check): Force hook value into register. 2009-04-17 17:55:06 +00:00
Ulrich Drepper
df77455c4b [BZ #9957]
2009-04-16  Ulrich Drepper  <drepper@redhat.com>
	[BZ #9957]
	* malloc/malloc.c (force_reg): Define.
	(sYSMALLOc): Load hook variable into variable
	before test and force into register.
	(sYSTRIm): Likewise.
	(public_mALLOc): Force hook value into register.
	(public_fREe): Likewise.
	(public_rEALLOc): Likewise.
	(public_mEMALIGn): Likewise.
	(public_vALLOc): Likewise.
	(public_pVALLOc): Likewise.
	(public_cALLOc): Likewise.
	(__posix_memalign): Likewise.
	* malloc/arena.c (ptmalloc_init): Load hook variable into variable
	before test and force into register.
	* malloc/hooks.c (top_check): Likewise.
	(public_s_ET_STATe): Pretty printing.

	* resolv/res_send.c (send_dg): Don't just ignore the result we got
	in case we only receive one reply in single-request mode.
2009-04-16 21:22:16 +00:00
Ulrich Drepper
4c8b8cc332 * malloc/malloc.c (_int_realloc): Add parameter with old block
size.  Remove duplicated test.  Don't handle mmap'ed blocks here.
	Adjust all callers.
	* malloc/hooks.c (realloc_check): Adjust _int_realloc call.
2009-04-08 18:00:34 +00:00
Ulrich Drepper
425ce2edb9 * config.h.in (USE_MULTIARCH): Define.
* configure.in: Handle --enable-multi-arch.
	* elf/dl-runtime.c (_dl_fixup): Handle STT_GNU_IFUNC.
	(_dl_fixup_profile): Likewise.
	* elf/do-lookup.c (dl_lookup_x): Likewise.
	* sysdeps/x86_64/dl-machine.h: Handle STT_GNU_IFUNC.
	* elf/elf.h (STT_GNU_IFUNC): Define.
	* include/libc-symbols.h (libc_ifunc): Define.
	* sysdeps/x86_64/cacheinfo.c: If USE_MULTIARCH is defined, use the
	framework in init-arch.h to get CPUID values.
	* sysdeps/x86_64/multiarch/Makefile: New file.
	* sysdeps/x86_64/multiarch/init-arch.c: New file.
	* sysdeps/x86_64/multiarch/init-arch.h: New file.
	* sysdeps/x86_64/multiarch/sched_cpucount.c: New file.

	* config.make.in (experimental-malloc): Define.
	* configure.in: Handle --enable-experimental-malloc.
	* malloc/Makefile: Handle experimental-malloc flag.
	* malloc/malloc.c: Implement PER_THREAD and ATOMIC_FASTBINS features.
	* malloc/arena.c: Likewise.
	* malloc/hooks.c: Likewise.
	* malloc/malloc.h: Define M_ARENA_TEST and M_ARENA_MAX.
2009-03-13 23:53:18 +00:00
Ulrich Drepper
6dd6a580df (_int_realloc): Likewise. Third argument is now padded size 2009-02-07 22:49:34 +00:00
Ulrich Drepper
78ac92ad8d * malloc/malloc.c (_int_free): Second argument is now mchunkptr.
Change all callers.
	(_int_realloc): Likewise.
	All _int_* functions are now static.
	* malloc/hooks.c: Change all callers to _int_free and _int_realloc.
	* malloc/arena.c: Likewise.
	* include/malloc.h: Remove now unnecessary declarations of the _int_*
	functions.
2009-02-07 22:01:49 +00:00
Ulrich Drepper
231e783524 (__malloc_check_init): Remove printf. 2008-07-15 17:16:07 +00:00
Ulrich Drepper
1f4843fbff * malloc/hooks.c (MALLOC_STATE_VERSION): Bump.
(public_sET_STATe): If ms->version < 3, put all chunks into
	unsorted chunks and clear {fd,bk}_nextsize fields of largebin
	chunks.

	* malloc/malloc.c [MALLOC_DEBUG]: Revert 2007-05-13 changes.
	* malloc/hooks.c: Likewise.
	* malloc/arena.c: Likewise.
	* malloc/malloc.c (do_check_malloc_state): Don't assert
	n_mmaps is not greater than n_mmaps_max.  This removes the need
	for the previous change.

	* malloc/Makefile (CFLAGS-malloc.c): Revert accidental
	2007-05-07 commit.
2007-05-21 16:13:18 +00:00