On Wed, Sep 07, 2016 at 06:29:07PM -0400, Ted Unangst wrote:
> There's some overlap here with canaries, but nothing wrong with that. :)
The diff breaks canaries since random_junk() overwrites them before they
are validated. The following straightforward modification fixes that:
> Index: malloc.c
> ===================================================================
[..]
> @@ -1336,10 +1367,11 @@ ofree(struct dir_info *argpool, void *p)
> }
> STATS_SUB(pool->malloc_guarded, mopts.malloc_guard);
> }
> - if (mopts.malloc_junk && !mopts.malloc_freeunmap) {
> - size_t amt = mopts.malloc_junk == 1 ? MALLOC_MAXCHUNK :
> - PAGEROUND(sz) - mopts.malloc_guard;
> - memset(p, SOME_FREEJUNK, amt);
> + if (mopts.malloc_junk == 2 && !mopts.malloc_freeunmap) {
> + memset(p, SOME_FREEJUNK,
> + PAGEROUND(sz) - mopts.malloc_guard);
> + } else if (mopts.malloc_junk == 1 && !mopts.malloc_freeunmap) {
> + random_junk(p, MALLOC_MAXCHUNK);
should be:
random_junk(p, MALLOC_MAXCHUNK - mopts.malloc_canaries);
> }
> unmap(pool, p, PAGEROUND(sz));
> delete(pool, r);
> @@ -1347,8 +1379,10 @@ ofree(struct dir_info *argpool, void *p)
> void *tmp;
> int i;
>
> - if (mopts.malloc_junk && sz > 0)
> + if (mopts.malloc_junk == 2 && sz > 0)
> memset(p, SOME_FREEJUNK, sz - mopts.malloc_canaries);
> + else if (mopts.malloc_junk == 1 && sz > 0)
> + random_junk(p, sz);
should be:
random_junk(p, sz - mopts.malloc_canaries);
> if (!mopts.malloc_freenow) {
> if (find_chunknum(pool, r, p) == -1)
> goto done;
>
