[nuttx] branch master updated: mm/heap: add coloration after free to detect use after free issue

Mon, 11 Sep 2023 12:28:52 -0700 

This is an automated email from the ASF dual-hosted git repository.

acassis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git


The following commit(s) were added to refs/heads/master by this push:
     new 36e3d32740 mm/heap: add coloration after free to detect use after free 
issue
36e3d32740 is described below

commit 36e3d327405a02d983bdacbf170092df07def74a
Author: dongjiuzhu1 <[email protected]>
AuthorDate: Tue Sep 5 13:44:14 2023 +0800

    mm/heap: add coloration after free to detect use after free issue
    
    Signed-off-by: dongjiuzhu1 <[email protected]>
---
 mm/mempool/mempool.c | 8 ++++++++
 mm/mm_heap/mm_free.c | 4 ++++
 mm/tlsf/mm_tlsf.c    | 8 ++++++++
 3 files changed, 20 insertions(+)

diff --git a/mm/mempool/mempool.c b/mm/mempool/mempool.c
index 145ca4588d..2f32814d00 100644
--- a/mm/mempool/mempool.c
+++ b/mm/mempool/mempool.c
@@ -273,6 +273,10 @@ retry:
         }
     }
 
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(blk, 0xaa, pool->blocksize);
+#endif
+
 #if CONFIG_MM_BACKTRACE >= 0
   mempool_add_backtrace(pool, (FAR struct mempool_backtrace_s *)
                               ((FAR char *)blk + pool->blocksize));
@@ -312,6 +316,10 @@ void mempool_free(FAR struct mempool_s *pool, FAR void 
*blk)
   pool->nalloc--;
 #endif
 
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(blk, 0x55, pool->blocksize);
+#endif
+
   if (pool->interruptsize > blocksize)
     {
       if ((FAR char *)blk >= pool->ibase &&
diff --git a/mm/mm_heap/mm_free.c b/mm/mm_heap/mm_free.c
index a92f467aa7..699b87d33f 100644
--- a/mm/mm_heap/mm_free.c
+++ b/mm/mm_heap/mm_free.c
@@ -104,6 +104,10 @@ void mm_free(FAR struct mm_heap_s *heap, FAR void *mem)
       return;
     }
 
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(mem, 0x55, mm_malloc_size(heap, mem));
+#endif
+
   kasan_poison(mem, mm_malloc_size(heap, mem));
 
   /* Map the memory chunk into a free node */
diff --git a/mm/tlsf/mm_tlsf.c b/mm/tlsf/mm_tlsf.c
index 70ae02af17..80579da18d 100644
--- a/mm/tlsf/mm_tlsf.c
+++ b/mm/tlsf/mm_tlsf.c
@@ -689,6 +689,10 @@ void mm_free(FAR struct mm_heap_s *heap, FAR void *mem)
 
   if (mm_lock(heap) == 0)
     {
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+      memset(mem, 0x55, mm_malloc_size(heap, mem));
+#endif
+
       kasan_poison(mem, mm_malloc_size(heap, mem));
 
       /* Pass, return to the tlsf pool */
@@ -1064,6 +1068,10 @@ FAR void *mm_malloc(FAR struct mm_heap_s *heap, size_t 
size)
       memdump_backtrace(heap, buf);
 #endif
       kasan_unpoison(ret, mm_malloc_size(heap, ret));
+
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+      memset(ret, 0xaa, mm_malloc_size(heap, ret));
+#endif
     }
 
   return ret;

Reply via email to