[PATCH] tests: brk-near-huge: Avoid malloc chunk overwrite
355 views
Skip to first unread message
Sandipan Das
Oct 6, 2020, 5:33:09 PM10/6/20
to emu...@mgebm.net, er...@munsonfam.org, libhug...@googlegroups.com, aneesh...@linux.ibm.com, tul...@linux.ibm.com
There are two possible ways by which this test can pass.
The first way applies to systems for which the kernel
prevents the program break from being set in a hugepage
segment. The second way is for systems without segment
limitations where the kernel should not crash when the
region between the original and new program break is
written to.
Irrespective of whether setting the new program break
succeeds or not, the preceding calls to functions such
as next_chunk() and test_addr_huge() always lead to the
use of malloc() internally which changes the program
break permanently due to chunk allocations. Thus, chunk
data is now stored starting from the address denoted by
brk0.
If setting the new program break succeeds, the region
between brk0 and newbrk is overwritten with zeros which
also clears out the chunk data used by malloc(). When
the second pass condition succeeds, puts(), which also
internally uses malloc(), is called but the malloc()
call fails since the chunk data has been cleared. This
causes an internal assertion to fail and the test gets
aborted.
This can be prevented by making sure that every malloc()
call always uses separate mmap()-ed regions rather than
using chunks.
If QUIET_TEST is not set, the program break changes
due to chunk allocations happening even before brk0 is
determined. This is because of calls to functions like
test_init(). Hence, the chunk data remains untouched
when the second pass condition succeeds and the test
does not get aborted.
Suggested-by: Tulio Magno Quites Machado Filho <tul...@linux.ibm.com>
Signed-off-by: Sandipan Das <sand...@linux.ibm.com>
---
tests/brk_near_huge.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/brk_near_huge.c b/tests/brk_near_huge.c
index c9662f4..2ab6fe8 100644
--- a/tests/brk_near_huge.c
+++ b/tests/brk_near_huge.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <malloc.h>
#include <errno.h>
#include <unistd.h>
#include <sys/mman.h>
@@ -75,6 +76,9 @@ int main(int argc, char *argv[])
char *p;
int err;
+ /* Make all malloc() calls use mmap() */
+ mallopt(M_MMAP_THRESHOLD, 0);
+
test_init(argc, argv);
hpage_size = check_hugepagesize();
--
2.25.1
The first way applies to systems for which the kernel
prevents the program break from being set in a hugepage
segment. The second way is for systems without segment
limitations where the kernel should not crash when the
region between the original and new program break is
written to.
Irrespective of whether setting the new program break
succeeds or not, the preceding calls to functions such
as next_chunk() and test_addr_huge() always lead to the
use of malloc() internally which changes the program
break permanently due to chunk allocations. Thus, chunk
data is now stored starting from the address denoted by
brk0.
If setting the new program break succeeds, the region
between brk0 and newbrk is overwritten with zeros which
also clears out the chunk data used by malloc(). When
the second pass condition succeeds, puts(), which also
internally uses malloc(), is called but the malloc()
call fails since the chunk data has been cleared. This
causes an internal assertion to fail and the test gets
aborted.
This can be prevented by making sure that every malloc()
call always uses separate mmap()-ed regions rather than
using chunks.
If QUIET_TEST is not set, the program break changes
due to chunk allocations happening even before brk0 is
determined. This is because of calls to functions like
test_init(). Hence, the chunk data remains untouched
when the second pass condition succeeds and the test
does not get aborted.
Suggested-by: Tulio Magno Quites Machado Filho <tul...@linux.ibm.com>
Signed-off-by: Sandipan Das <sand...@linux.ibm.com>
---
tests/brk_near_huge.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/brk_near_huge.c b/tests/brk_near_huge.c
index c9662f4..2ab6fe8 100644
--- a/tests/brk_near_huge.c
+++ b/tests/brk_near_huge.c
@@ -19,6 +19,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <malloc.h>
#include <errno.h>
#include <unistd.h>
#include <sys/mman.h>
@@ -75,6 +76,9 @@ int main(int argc, char *argv[])
char *p;
int err;
+ /* Make all malloc() calls use mmap() */
+ mallopt(M_MMAP_THRESHOLD, 0);
+
test_init(argc, argv);
hpage_size = check_hugepagesize();
--
2.25.1
Reply all
Reply to author
Forward
0 new messages