1 2 3 4 5 6 7 sed n 22 27p glibc malloc malloc c this is
play

1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a - PowerPoint PPT Presentation

Feb 07, 2023 •248 likes •734 views

1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of malloc/free/realloc written by Doug Lea and adapted to multiple threads/arenas by Wolfram Gloger. There have been substantial changes made after the

  1. 1

  2. 2

  3. 3

  4. 4

  5. 5

  6. 6

  7. 7

  8. $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of malloc/free/realloc written by Doug Lea and adapted to multiple threads/arenas by Wolfram Gloger. There have been substantial changes made after the integration into glibc in all parts of the code. Do not look for much commonality with the ptmalloc2 version. 8

  9. 9

  10. 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. 15

  16. 16

  17. 17

  18. 18

  19. 19

  20. 20

  21. #define largebin_index_64(sz) \ (((((unsigned long) (sz)) >> 6) <= 48) ? 48 + (((unsigned long) (sz)) >> 6) :\ ((((unsigned long) (sz)) >> 9) <= 20) ? 91 + (((unsigned long) (sz)) >> 9) :\ ((((unsigned long) (sz)) >> 12) <= 10) ? 110 + (((unsigned long) (sz)) >> 12) :\ ((((unsigned long) (sz)) >> 15) <= 4) ? 119 + (((unsigned long) (sz)) >> 15) :\ ((((unsigned long) (sz)) >> 18) <= 2) ? 124 + (((unsigned long) (sz)) >> 18) :\ 126) 21

  22. 22

  23. 23

  24. 24

  25. 25

  26. 26

  27. 27

  28. struct malloc_state { mutex_t mutex; [...] /* Fastbins */ mfastbinptr fastbinsY[NFASTBINS]; /* Base of the topmost chunk */ mchunkptr top; /* The remainder from the most recent split of a small request */ mchunkptr last_remainder; /* Normal bins */ mchunkptr bins[NBINS * 2 - 2]; [...] }; 28

  29. 29

  30. 30

  31. 31

  32. 32

  33. #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ } p->fd->bk = p->bk p->bk->fd = p->fd 33

  34. commit 9a3a9dd8d9e03875f865a22de5296274cc18c10e Author: Ulrich Drepper <drepper@redhat.com> Date: Tue Aug 19 09:30:22 2003 +0000 diff --git a/malloc/malloc.c b/malloc/malloc.c index 5cc3473..55e2cbc 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4131,6 +4131,13 @@ _int_free(mstate av, Void_t* mem) p = mem2chunk(mem); size = chunksize(p); + /* Little security check which won't hurt performance: the + allocator never wrapps around at the end of the address space. + Therefore we can exclude some size values which might appear + here by accident or by "design" from some intruder. */ + if ((uintptr_t) p > (uintptr_t) -size) + return; + check_inuse_chunk(av, p); /* 34

  35. commit 3e030bd5f9fa57f79a509565b5de6a1c0360d953 Author: Ulrich Drepper <drepper@redhat.com> Date: Sat Aug 21 20:19:54 2004 +0000 diff --git a/malloc/malloc.c b/malloc/malloc.c index 6e6c105..206be50 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -1966,6 +1970,9 @@ typedef struct malloc_chunk* mbinptr; #define unlink(P, BK, FD) { \ FD = P->fd; \ BK = P->bk; \ + if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \ + malloc_printf_nc (check_action, \ + "corrupted double-linked list at %p!\n", P); \ FD->bk = BK; \ BK->fd = FD; \ } 35

  36. commit 9d0cdc0eeaf8b0ca19bf04c5e18b00d965fcd0a8 Author: Ulrich Drepper <drepper@redhat.com> Date: Thu Sep 9 01:58:35 2004 +0000 diff --git a/malloc/malloc.c b/malloc/malloc.c index 5636d5c..4db4051 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4201,6 +4201,13 @@ _int_free(mstate av, Void_t* mem) set_fastchunks(av); fb = &(av->fastbins[fastbin_index(size)]); + /* Another simple check: make sure the top of the bin is not the + record we are going to add (i.e., double free). */ + if (__builtin_expect (*fb == p, 0)) + { + malloc_printf_nc (check_action, "double free(%p)!\n", mem); + return; + } p->fd = *fb; *fb = p; } 36

  37. commit 893e609847a2f372970e349e0cede2e8529bea71 Author: Ulrich Drepper <drepper@redhat.com> Date: Fri Nov 19 21:35:00 2004 +0000 diff --git a/malloc/malloc.c b/malloc/malloc.c index 5707410..d6810be 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4233,6 +4233,14 @@ _int_free(mstate av, Void_t* mem) #endif ) { + if (__builtin_expect (chunk_at_offset (p, size)->size <= 2 * SIZE_SZ, 0) + || __builtin_expect (chunksize (chunk_at_offset (p, size)) + >= av->system_mem, 0)) + { + errstr = "invalid next size (fast)"; + goto errout; + } + set_fastchunks(av); fb = &(av->fastbins[fastbin_index(size)]); /* Another simple check: make sure the top of the bin is not the 37

  38. int main(void) { void* ptr = malloc(42); free(ptr); free(ptr); return 0; } 38

  39. *** Error in `./clone': double free or corruption (fasttop): 0x0000557e5c19e010 *** ======= Backtrace: ========= /usr/lib/libc.so.6(+0x6ed4b)[0x7fb27b6ebd4b] /usr/lib/libc.so.6(+0x74546)[0x7fb27b6f1546] /usr/lib/libc.so.6(+0x74d1e)[0x7fb27b6f1d1e] ./clone(+0x7ed)[0x557e5be217ed] /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7fb27b69d741] ./clone(+0x699)[0x557e5be21699] ======= Memory map: ======== [...] zsh: abort (core dumped) ./clone 39

  40. $ grep -rn 'double free or corruption' malloc.c:3939: errstr = "double free or corruption (fasttop)"; malloc.c:3975: errstr = "double free or corruption (top)"; malloc.c:3983: errstr = "double free or corruption (out)"; malloc.c:3989: errstr = "double free or corruption (!prev)"; /* Check that the top of the bin is not the record we are going to add (i.e., double free). */ if (__builtin_expect (old == p, 0)) { errstr = "double free or corruption (fasttop)"; goto errout; } 40

  41. int main(void) { void* ptr1 = malloc(42); void* ptr2 = malloc(42); printf("ptr1: %p\n", ptr1); printf("ptr2: %p\n", ptr2); free(ptr1); free(ptr2); free(ptr1); printf("%p\n", malloc(42)); printf("%p\n", malloc(42)); printf("%p\n", malloc(42)); return 0; } 41

  42. $ make fastchunk-duplicator && ./fastchunk-duplicator cc fastchunk-duplicator.c -o fastchunk-duplicator ptr1: 0x5646b5034010 ptr2: 0x5646b5034050 0x5646b5034010 0x5646b5034050 0x5646b5034010 42

  43. static void * _int_malloc (mstate av, size_t bytes) { // [...] use_top: victim = av->top; size = chunksize(victim); if ((unsigned long)(size) >= (unsigned long)(nb + MINSIZE)) { remainder_size = size - nb; remainder = chunk_at_offset(victim, nb); av->top = remainder; set_head(victim, nb | PREV_INUSE | (av != &main_arena ? NON_MAIN_ARENA : 0)); set_head(remainder, remainder_size | PREV_INUSE); check_malloced_chunk(av, victim, nb); return chunk2mem(victim); // [...] } #define chunk_at_offset(p, s) ((mchunkptr) (((char *) (p)) + (s))) 43

  44. int main(void) { char target[] = "On the stack"; void* chunk = malloc(42); void* wilderness = (char*)(chunk) + malloc_usable_size(chunk); *(uintptr_t*)wilderness = 0xFFFFFFFFFFFFFFFF; malloc((uintptr_t)target - 2 * sizeof (size_t) - (uintptr_t)wilderness); void* ptr = malloc(0x100); printf("%p: %s\n", ptr, ptr); } 44

  45. $ make house-of-force && ./house-of-force cc house-of-force.c -o house-of-force 0x7ffd77fc6350: On the stack 45

  46. 46

  47. 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 241 Data Organization malloc and free March 20, 2018 &lt;stdlib.h&gt;: malloc() void

CS 241 Data Organization malloc and free March 20, 2018 &lt;stdlib.h&gt;: malloc() void

CS 241 Data Organization malloc and free March 20, 2018 &lt;stdlib.h&gt;: malloc() void *malloc(size_t byteSize) The malloc function allocates unused space for an object whose size in bytes is specified by byteSize . The order and

377 views • 15 slides
Malloc &amp; VM Malloc &amp; VM By sseshadr Agenda Agenda Administration d st at o

Malloc &amp; VM Malloc &amp; VM By sseshadr Agenda Agenda Administration d st at o

Malloc &amp; VM Malloc &amp; VM By sseshadr Agenda Agenda Administration d st at o Process lab code will be inked by Thursday (pick up in ECE hub) Malloc due soon (Thursday, November 4 th ) Exam 2 in a week (Tuesday, November 9

559 views • 18 slides
Tips of malloc &amp; free Making your own malloc library for troubleshooting 2013.2.22 Embedded

Tips of malloc &amp; free Making your own malloc library for troubleshooting 2013.2.22 Embedded

Tips of malloc &amp; free Making your own malloc library for troubleshooting 2013.2.22 Embedded Linux Conference Tetsuyuki Kobayashi 1 The latest version of this slide will be available from here

648 views • 51 slides
A Scalable Concurrent malloc(3) Implementation for FreeBSD Jason Evans &lt;jasone@FreeBSD.org&gt;

A Scalable Concurrent malloc(3) Implementation for FreeBSD Jason Evans &lt;jasone@FreeBSD.org&gt;

A Scalable Concurrent malloc(3) Implementation for FreeBSD Jason Evans &lt;jasone@FreeBSD.org&gt; Overview What is malloc(3) ? Previous allocators jemalloc algorithms and data structures Benchmarks Fragmentation

873 views • 52 slides
A vulnerable program #include &lt;stdlib.h&gt; int main() { void *p = malloc(100); } 2

A vulnerable program #include &lt;stdlib.h&gt; int main() { void *p = malloc(100); } 2

I AGO A TTACKS : W HY THE S YSTEM C ALL API IS A B AD U NTRUSTED RPC I NTERFACE Stephen Checkoway and Hovav Shacham March 19, 2013 1 Monday, April 22, 13 1 A vulnerable program #include &lt;stdlib.h&gt; int main() { void *p = malloc(100);

670 views • 45 slides
TOS Arno Puder 1 Objectives Enhance TOS: Add malloc(), free() Overlapping windows

TOS Arno Puder 1 Objectives Enhance TOS: Add malloc(), free() Overlapping windows

TOS Arno Puder 1 Objectives Enhance TOS: Add malloc(), free() Overlapping windows Window Manager Keyboard support TOS shell Running TOS on real hardware 2 Accessing High Memory So far, TOS only uses the first MB

421 views • 23 slides
Implementing malloc CS 351: Systems Programming Michael Saelee &lt;lee@iit.edu&gt; 1 Computer

Implementing malloc CS 351: Systems Programming Michael Saelee &lt;lee@iit.edu&gt; 1 Computer

Implementing malloc CS 351: Systems Programming Michael Saelee &lt;lee@iit.edu&gt; 1 Computer Science Science the API: void *malloc(size_t size); void free(void *ptr); void *realloc(void *ptr, size_t size); 2 Computer Science Science

1.09k views • 74 slides
CS356 : Discussion #11 Dynamic Memory, Allocation Lab and Linking Illustrations from CS:APP3e

CS356 : Discussion #11 Dynamic Memory, Allocation Lab and Linking Illustrations from CS:APP3e

CS356 : Discussion #11 Dynamic Memory, Allocation Lab and Linking Illustrations from CS:APP3e textbook malloc and free in action Each square represents 4 bytes. malloc returns addresses at multiples of 8 bytes (64 bit). If there is a problem,

460 views • 34 slides
Memory Management eg C: { double* A = malloc(sizeof(double)*M*N); Mingsheng Hong for(int i

Memory Management eg C: { double* A = malloc(sizeof(double)*M*N); Mingsheng Hong for(int i

2/11/2008 Motivation Recall unmanaged code Memory Management eg C: { double* A = malloc(sizeof(double)*M*N); Mingsheng Hong for(int i = 0; i &lt; M*N; i++) { A[i] = i; CS 215, Spring 2008 } } Whats wrong? memory leak:

443 views • 5 slides
Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level

Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level

Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level MMU tricks 5 Garbage collection 1 / 40 Dynamic memory allocation Almost every useful program uses it - Gives wonderful functionality benefits

1.19k views • 43 slides
Dynamic Memory Allocation in the Heap (malloc and free) Explicit allocators (a.k.a. manual memory

Dynamic Memory Allocation in the Heap (malloc and free) Explicit allocators (a.k.a. manual memory

Dynamic Memory Allocation in the Heap (malloc and free) Explicit allocators (a.k.a. manual memory management) Heap Allocation Addr Perm Contents Managed by Initialized Stack 2 N -1 RW Procedure context Compiler Run-time Programmer,

565 views • 31 slides
The malloc Architecture Steve Hanna steve.hanna@sun.com IP Multicast Model Group is

The malloc Architecture Steve Hanna steve.hanna@sun.com IP Multicast Model Group is

The malloc Architecture Steve Hanna steve.hanna@sun.com IP Multicast Model Group is identified with class D IP address Any host can send to a multicast address To receive, join the group via IGMP Packets can be constrained

518 views • 15 slides
Agenda Virtual Memory Final Review Assembly Calling Conventions Malloc/Free

Agenda Virtual Memory Final Review Assembly Calling Conventions Malloc/Free

Agenda Virtual Memory Final Review Assembly Calling Conventions Malloc/Free Caching Questions, Evaluations Virtual Memory Used for 3 things Efficient use of main memory (RAM) Use RAM as cache for parts of

499 views • 18 slides
Memory Virtualization: The UNIX Memory API Prof. Patrick G. Bridges 1 University of New Mexico

Memory Virtualization: The UNIX Memory API Prof. Patrick G. Bridges 1 University of New Mexico

University of New Mexico Memory Virtualization: The UNIX Memory API Prof. Patrick G. Bridges 1 University of New Mexico Memory API: malloc() #include &lt;stdlib.h&gt; void* malloc(size_t size) Main programmer-level API in C.

318 views • 9 slides
CS415: Systems programming Memory management (malloc, calloc, free, realloc, memset, memcpy,

CS415: Systems programming Memory management (malloc, calloc, free, realloc, memset, memcpy,

CS415: Systems programming Memory management (malloc, calloc, free, realloc, memset, memcpy, strcpy) 1 Most of the slides in this lecture are either from or adapted from the slides provided by Dr. Ahmad Barghash Memory allocation There are

463 views • 34 slides
Language Tags in malloc Steve Hanna steve.hanna@sun.com Problem Make zone names work in a

Language Tags in malloc Steve Hanna steve.hanna@sun.com Problem Make zone names work in a

Language Tags in malloc Steve Hanna steve.hanna@sun.com Problem Make zone names work in a multilingual environment 239.192.0.0/20 IBM Switzerland 239.192.16.0/20 IBM Geneva Problem: Users speak different languages

269 views • 9 slides
Subgradient method Geoff Gordon &amp; Ryan Tibshirani Optimization 10-725 / 36-725 1 Remember

Subgradient method Geoff Gordon &amp; Ryan Tibshirani Optimization 10-725 / 36-725 1 Remember

Subgradient method Geoff Gordon &amp; Ryan Tibshirani Optimization 10-725 / 36-725 1 Remember gradient descent We want to solve x R n f ( x ) , min for f convex and differentiable Gradient descent: choose initial x (0) R n , repeat: x

669 views • 33 slides
Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work

Verifiable Delay Functions and More from Isogenies and Pairings Luca De Feo based on joint work with J. Burdges, S. Masson, C. Petit, A. Sanso IBM Research Zrich December 4, 2019, ECC, Bochum Slides online at https://defeo.lu/docet

928 views • 72 slides
Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free

Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free

Minimal multiple blocking sets Anurag Bishnoi (with S. Mattheus and J. Schillewaert) Free University of Berlin https://anuragbishnoi.wordpress.com/ Finite Geometries, Irsee September 2017 Blocking Sets A subset B of points in a projective

623 views • 33 slides
Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and

Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and

Choice Set Optimization Under Discrete Choice Models of Group Decisions Kiran Tomlinson and Austin R. Benson Department of Computer Science, Cornell University ICML 2020 Discrete choice models Goal Model human choices 1 / 19 Discrete choice

1.2k views • 77 slides
Scaling for Humongous amounts of data with MongoDB Alvin Richards Technical Director

Scaling for Humongous amounts of data with MongoDB Alvin Richards Technical Director

Scaling for Humongous amounts of data with MongoDB Alvin Richards Technical Director alvin@10gen.com @jonnyeight alvinonmongodb.com Getting from here to there... http://bit.ly/OT71M4 2 ...probably using one of these http://bit.ly/QDUIUF

769 views • 56 slides
APEX Extragalactic Surveys Attila Kovcs The Case for APEX in the ALMA Era Zero Spacing APEX

APEX Extragalactic Surveys Attila Kovcs The Case for APEX in the ALMA Era Zero Spacing APEX

APEX Extragalactic Surveys Attila Kovcs The Case for APEX in the ALMA Era Zero Spacing APEX Beam is larger than ALMA FOV Arrays 50 pixels in FOV = 50 antennas in mapping speed Bolometers Larger bandwidth Outline CO Surveys SZ Survey

589 views • 55 slides
Z 2 Structure of the Quantum Spin Hall Effect Leon Balents, UCSB Joel Moore, UCB Summary

Z 2 Structure of the Quantum Spin Hall Effect Leon Balents, UCSB Joel Moore, UCB Summary

COQUSY06, Dresden Z 2 Structure of the Quantum Spin Hall Effect Leon Balents, UCSB Joel Moore, UCB Summary There are robust and distinct topological classes of time-reversal invariant band insulators in two and three dimensions, when

455 views • 22 slides
Management for Multi-stream SSDs Jingpei Yang, PhD, Rajinikanth Pandurangan, Changho Choi, PhD ,

Management for Multi-stream SSDs Jingpei Yang, PhD, Rajinikanth Pandurangan, Changho Choi, PhD ,

AutoStream: Automatic Stream Management for Multi-stream SSDs Jingpei Yang, PhD, Rajinikanth Pandurangan, Changho Choi, PhD , Vijay Balakrishnan Memory Solutions Lab Samsung Semiconductor Agenda SSD NAND flash characteristics

173 views • 13 slides

More recommend