anevilyak+korli+mmlr:
* Check for overflows in memory allocation. If someone happened to (erroneously) try to allocate a negative amount of memory we could overflow and crash because of the sizes getting messed up. * Review and update the alignment logic which was a bit broken for the huge allocation case (reaching the area threshold). Also assert the results so next time this will be easier to spot. git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@33638 a95241bf-73f2-0310-859d-f6bbb57e9c96
This commit is contained in:
parent
599586baa6
commit
b501a0387d
@ -1986,12 +1986,14 @@ memalign(size_t alignment, size_t size)
|
|||||||
|
|
||||||
if (!gKernelStartup && size > HEAP_AREA_USE_THRESHOLD) {
|
if (!gKernelStartup && size > HEAP_AREA_USE_THRESHOLD) {
|
||||||
// don't even attempt such a huge allocation - use areas instead
|
// don't even attempt such a huge allocation - use areas instead
|
||||||
size_t areaSize = size + sizeof(area_allocation_info);
|
size_t areaSize = ROUNDUP(size + sizeof(area_allocation_info)
|
||||||
if (alignment != 0)
|
+ alignment, B_PAGE_SIZE);
|
||||||
areaSize = ROUNDUP(areaSize, alignment);
|
if (areaSize < size) {
|
||||||
|
// the size overflowed
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
void *address = NULL;
|
void *address = NULL;
|
||||||
areaSize = ROUNDUP(areaSize, B_PAGE_SIZE);
|
|
||||||
area_id allocationArea = create_area("memalign area", &address,
|
area_id allocationArea = create_area("memalign area", &address,
|
||||||
B_ANY_KERNEL_BLOCK_ADDRESS, areaSize, B_FULL_LOCK,
|
B_ANY_KERNEL_BLOCK_ADDRESS, areaSize, B_FULL_LOCK,
|
||||||
B_KERNEL_READ_AREA | B_KERNEL_WRITE_AREA);
|
B_KERNEL_READ_AREA | B_KERNEL_WRITE_AREA);
|
||||||
@ -2009,8 +2011,11 @@ memalign(size_t alignment, size_t size)
|
|||||||
info->allocation_alignment = alignment;
|
info->allocation_alignment = alignment;
|
||||||
|
|
||||||
address = (void *)((addr_t)address + sizeof(area_allocation_info));
|
address = (void *)((addr_t)address + sizeof(area_allocation_info));
|
||||||
if (alignment != 0)
|
if (alignment != 0) {
|
||||||
|
ASSERT((addr_t)address % alignment == 0);
|
||||||
|
ASSERT((addr_t)address + size - 1 < (addr_t)info + areaSize - 1);
|
||||||
address = (void *)ROUNDUP((addr_t)address, alignment);
|
address = (void *)ROUNDUP((addr_t)address, alignment);
|
||||||
|
}
|
||||||
|
|
||||||
TRACE(("heap: allocated area %ld for huge allocation of %lu bytes\n",
|
TRACE(("heap: allocated area %ld for huge allocation of %lu bytes\n",
|
||||||
allocationArea, size));
|
allocationArea, size));
|
||||||
|
@ -1550,12 +1550,14 @@ memalign(size_t alignment, size_t size)
|
|||||||
{
|
{
|
||||||
if (size > HEAP_AREA_USE_THRESHOLD) {
|
if (size > HEAP_AREA_USE_THRESHOLD) {
|
||||||
// don't even attempt such a huge allocation - use areas instead
|
// don't even attempt such a huge allocation - use areas instead
|
||||||
size_t areaSize = size + sizeof(area_allocation_info);
|
size_t areaSize = ROUNDUP(size + sizeof(area_allocation_info)
|
||||||
if (alignment != 0)
|
+ alignment, B_PAGE_SIZE);
|
||||||
areaSize = ROUNDUP(areaSize, alignment);
|
if (areaSize < size) {
|
||||||
|
// the size overflowed
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
void *address = NULL;
|
void *address = NULL;
|
||||||
areaSize = ROUNDUP(areaSize, B_PAGE_SIZE);
|
|
||||||
area_id allocationArea = create_area("memalign area", &address,
|
area_id allocationArea = create_area("memalign area", &address,
|
||||||
B_ANY_ADDRESS, areaSize, B_NO_LOCK, B_READ_AREA | B_WRITE_AREA);
|
B_ANY_ADDRESS, areaSize, B_NO_LOCK, B_READ_AREA | B_WRITE_AREA);
|
||||||
if (allocationArea < B_OK) {
|
if (allocationArea < B_OK) {
|
||||||
@ -1573,8 +1575,11 @@ memalign(size_t alignment, size_t size)
|
|||||||
info->allocation_alignment = alignment;
|
info->allocation_alignment = alignment;
|
||||||
|
|
||||||
address = (void *)((addr_t)address + sizeof(area_allocation_info));
|
address = (void *)((addr_t)address + sizeof(area_allocation_info));
|
||||||
if (alignment != 0)
|
if (alignment != 0) {
|
||||||
address = (void *)ROUNDUP((addr_t)address, alignment);
|
address = (void *)ROUNDUP((addr_t)address, alignment);
|
||||||
|
ASSERT((addr_t)address % alignment == 0);
|
||||||
|
ASSERT((addr_t)address + size - 1 < (addr_t)info + areaSize - 1);
|
||||||
|
}
|
||||||
|
|
||||||
INFO(("heap: allocated area %ld for huge allocation of %lu bytes\n",
|
INFO(("heap: allocated area %ld for huge allocation of %lu bytes\n",
|
||||||
allocationArea, size));
|
allocationArea, size));
|
||||||
|
Loading…
Reference in New Issue
Block a user