On 25/10/15 06:20 PM, Ted Unangst wrote: > Daniel Micay wrote: >> This patch adds an opt-in malloc configuration option placing canaries after >> small allocations to detect heap overflows on free(...). It's intended to be >> used alongside guard pages for large allocations. Since it's essentially >> adding extra padding to all small allocations, a small heap overflow will be >> rendered harmless. > > This is all very cool. I'd like to look more at it sometime soon.
Probably worth looking at the use-after-free detection patch first since it's simpler. And it's worth noting that the 2 features conflict with each other, a small change is required to make them compatible: diff --git a/libc/bionic/omalloc.c b/libc/bionic/omalloc.c index 91ae559..dd39117 100644 --- a/libc/bionic/omalloc.c +++ b/libc/bionic/omalloc.c @@ -1371,6 +1371,8 @@ ofree(void *p) size_t byte; r = find(pool, p); REALSIZE(sz, r); + if (sz > 0 && sz <= MALLOC_MAXCHUNK) + sz -= mopts.malloc_canaries; for (byte = 0; byte < sz; byte++) { if (((char *)p)[byte] != SOME_FREEJUNK) { wrterror("use after free", p);