[haiku-commits] r33638 - in haiku/trunk/src/system: kernel libroot/posix/malloc_debug
- From: mmlr@xxxxxxxx
- To: haiku-commits@xxxxxxxxxxxxx
- Date: Sun, 18 Oct 2009 14:35:49 +0200 (CEST)
Author: mmlr
Date: 2009-10-18 14:35:49 +0200 (Sun, 18 Oct 2009)
New Revision: 33638
Changeset: http://dev.haiku-os.org/changeset/33638/haiku
Modified:
haiku/trunk/src/system/kernel/heap.cpp
haiku/trunk/src/system/libroot/posix/malloc_debug/heap.cpp
Log:
anevilyak+korli+mmlr:
* Check for overflows in memory allocation. If someone happened to (erroneously)
try to allocate a negative amount of memory we could overflow and crash
because of the sizes getting messed up.
* Review and update the alignment logic which was a bit broken for the huge
allocation case (reaching the area threshold). Also assert the results so
next time this will be easier to spot.
Modified: haiku/trunk/src/system/kernel/heap.cpp
===================================================================
--- haiku/trunk/src/system/kernel/heap.cpp 2009-10-18 12:33:59 UTC (rev
33637)
+++ haiku/trunk/src/system/kernel/heap.cpp 2009-10-18 12:35:49 UTC (rev
33638)
@@ -1986,12 +1986,14 @@
if (!gKernelStartup && size > HEAP_AREA_USE_THRESHOLD) {
// don't even attempt such a huge allocation - use areas instead
- size_t areaSize = size + sizeof(area_allocation_info);
- if (alignment != 0)
- areaSize = ROUNDUP(areaSize, alignment);
+ size_t areaSize = ROUNDUP(size + sizeof(area_allocation_info)
+ + alignment, B_PAGE_SIZE);
+ if (areaSize < size) {
+ // the size overflowed
+ return NULL;
+ }
void *address = NULL;
- areaSize = ROUNDUP(areaSize, B_PAGE_SIZE);
area_id allocationArea = create_area("memalign area", &address,
B_ANY_KERNEL_BLOCK_ADDRESS, areaSize, B_FULL_LOCK,
B_KERNEL_READ_AREA | B_KERNEL_WRITE_AREA);
@@ -2009,8 +2011,11 @@
info->allocation_alignment = alignment;
address = (void *)((addr_t)address +
sizeof(area_allocation_info));
- if (alignment != 0)
+ if (alignment != 0) {
+ ASSERT((addr_t)address % alignment == 0);
+ ASSERT((addr_t)address + size - 1 < (addr_t)info +
areaSize - 1);
address = (void *)ROUNDUP((addr_t)address, alignment);
+ }
TRACE(("heap: allocated area %ld for huge allocation of %lu
bytes\n",
allocationArea, size));
Modified: haiku/trunk/src/system/libroot/posix/malloc_debug/heap.cpp
===================================================================
--- haiku/trunk/src/system/libroot/posix/malloc_debug/heap.cpp 2009-10-18
12:33:59 UTC (rev 33637)
+++ haiku/trunk/src/system/libroot/posix/malloc_debug/heap.cpp 2009-10-18
12:35:49 UTC (rev 33638)
@@ -1550,12 +1550,14 @@
{
if (size > HEAP_AREA_USE_THRESHOLD) {
// don't even attempt such a huge allocation - use areas instead
- size_t areaSize = size + sizeof(area_allocation_info);
- if (alignment != 0)
- areaSize = ROUNDUP(areaSize, alignment);
+ size_t areaSize = ROUNDUP(size + sizeof(area_allocation_info)
+ + alignment, B_PAGE_SIZE);
+ if (areaSize < size) {
+ // the size overflowed
+ return NULL;
+ }
void *address = NULL;
- areaSize = ROUNDUP(areaSize, B_PAGE_SIZE);
area_id allocationArea = create_area("memalign area", &address,
B_ANY_ADDRESS, areaSize, B_NO_LOCK, B_READ_AREA |
B_WRITE_AREA);
if (allocationArea < B_OK) {
@@ -1573,8 +1575,11 @@
info->allocation_alignment = alignment;
address = (void *)((addr_t)address +
sizeof(area_allocation_info));
- if (alignment != 0)
+ if (alignment != 0) {
address = (void *)ROUNDUP((addr_t)address, alignment);
+ ASSERT((addr_t)address % alignment == 0);
+ ASSERT((addr_t)address + size - 1 < (addr_t)info +
areaSize - 1);
+ }
INFO(("heap: allocated area %ld for huge allocation of %lu
bytes\n",
allocationArea, size));
Other related posts:
- » [haiku-commits] r33638 - in haiku/trunk/src/system: kernel libroot/posix/malloc_debug - mmlr
