libpayload: malloc: Fix realloc for overlapping buffers
The current realloc() works by freeing the origin buffer, allocating a new one, and copying the data over. It's true that free() won't touch the actual memory. However, the alloc() following it will potentially modify the memory that belongs to the old buffer in order to create a new free block (right after the newly allocated block). This causes 8 bytes (HDRSIZE) to be overwritten before being copied to the new buffer. To fix the problem, we must create the header of the new free block after the data is copied. In this patch, the content of alloc() is split into two functions: 1. find_free_block(): Find a free block with large enough size, without touching the memory 2. use_block(): Update the header of the newly allocated block, and create the header of the new free block right after it Then, inside realloc(), call memmove() call right after find_free_block() while before use_block(). BUG=b:165439970 TEST=emerge-puff libpayload TEST=Puff boots TEST=Verified realloc() correctly copied data when buffers overlapped Change-Id: I9418320a26820909144890300ddfb09ec2570f43 Signed-off-by: Yu-Ping Wu <yupingso@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/45284 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
parent
828a36e325
commit
aec3b1f7d7
|
@ -123,7 +123,8 @@ int dma_coherent(void *ptr)
|
||||||
return !dma_initialized() || (dma->start <= ptr && dma->end > ptr);
|
return !dma_initialized() || (dma->start <= ptr && dma->end > ptr);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void *alloc(int len, struct memory_type *type)
|
/* Find free block of size >= len */
|
||||||
|
static hdrtype_t volatile *find_free_block(int len, struct memory_type *type)
|
||||||
{
|
{
|
||||||
hdrtype_t header;
|
hdrtype_t header;
|
||||||
hdrtype_t volatile *ptr = (hdrtype_t volatile *)type->start;
|
hdrtype_t volatile *ptr = (hdrtype_t volatile *)type->start;
|
||||||
|
@ -156,16 +157,32 @@ static void *alloc(int len, struct memory_type *type)
|
||||||
halt();
|
halt();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (header & FLAG_FREE) {
|
if ((header & FLAG_FREE) && len <= size)
|
||||||
if (len <= size) {
|
return ptr;
|
||||||
hdrtype_t volatile *nptr = (hdrtype_t volatile *)((uintptr_t)ptr + HDRSIZE + len);
|
|
||||||
|
ptr = (hdrtype_t volatile *)((uintptr_t)ptr + HDRSIZE + size);
|
||||||
|
|
||||||
|
} while (ptr < (hdrtype_t *) type->end);
|
||||||
|
|
||||||
|
/* Nothing available. */
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Mark the block with length 'len' as used */
|
||||||
|
static void use_block(hdrtype_t volatile *ptr, int len)
|
||||||
|
{
|
||||||
|
/* Align the size. */
|
||||||
|
len = ALIGN_UP(len, HDRSIZE);
|
||||||
|
|
||||||
|
hdrtype_t volatile *nptr = (hdrtype_t volatile *)
|
||||||
|
((uintptr_t)ptr + HDRSIZE + len);
|
||||||
|
int size = SIZE(*ptr);
|
||||||
int nsize = size - (HDRSIZE + len);
|
int nsize = size - (HDRSIZE + len);
|
||||||
|
|
||||||
/* If there is still room in this block,
|
/*
|
||||||
* then mark it as such otherwise account
|
* If there is still room in this block, then mark it as such otherwise
|
||||||
* the whole space for that block.
|
* account the whole space for that block.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if (nsize > 0) {
|
if (nsize > 0) {
|
||||||
/* Mark the block as used. */
|
/* Mark the block as used. */
|
||||||
*ptr = USED_BLOCK(len);
|
*ptr = USED_BLOCK(len);
|
||||||
|
@ -176,17 +193,17 @@ static void *alloc(int len, struct memory_type *type)
|
||||||
/* Mark the block as used. */
|
/* Mark the block as used. */
|
||||||
*ptr = USED_BLOCK(size);
|
*ptr = USED_BLOCK(size);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void *alloc(int len, struct memory_type *type)
|
||||||
|
{
|
||||||
|
hdrtype_t volatile *ptr = find_free_block(len, type);
|
||||||
|
|
||||||
|
if (ptr == NULL)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
use_block(ptr, len);
|
||||||
return (void *)((uintptr_t)ptr + HDRSIZE);
|
return (void *)((uintptr_t)ptr + HDRSIZE);
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ptr = (hdrtype_t volatile *)((uintptr_t)ptr + HDRSIZE + size);
|
|
||||||
|
|
||||||
} while (ptr < (hdrtype_t *) type->end);
|
|
||||||
|
|
||||||
/* Nothing available. */
|
|
||||||
return (void *)NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void _consolidate(struct memory_type *type)
|
static void _consolidate(struct memory_type *type)
|
||||||
|
@ -277,6 +294,7 @@ void *calloc(size_t nmemb, size_t size)
|
||||||
void *realloc(void *ptr, size_t size)
|
void *realloc(void *ptr, size_t size)
|
||||||
{
|
{
|
||||||
void *ret, *pptr;
|
void *ret, *pptr;
|
||||||
|
hdrtype_t volatile *block;
|
||||||
unsigned int osize;
|
unsigned int osize;
|
||||||
struct memory_type *type = heap;
|
struct memory_type *type = heap;
|
||||||
|
|
||||||
|
@ -300,19 +318,24 @@ void *realloc(void *ptr, size_t size)
|
||||||
* reallocated the new space.
|
* reallocated the new space.
|
||||||
*/
|
*/
|
||||||
free(ptr);
|
free(ptr);
|
||||||
ret = alloc(size, type);
|
|
||||||
|
block = find_free_block(size, type);
|
||||||
|
if (block == NULL)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
ret = (void *)((uintptr_t)block + HDRSIZE);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* if ret == NULL, then doh - failure.
|
* If ret == ptr, then no copy is needed. Otherwise, move the memory to
|
||||||
* if ret == ptr then woo-hoo! no copy needed.
|
* the new location, which might be before the old one and overlap since
|
||||||
|
* the free() above includes a _consolidate().
|
||||||
*/
|
*/
|
||||||
if (ret == NULL || ret == ptr)
|
if (ret != ptr)
|
||||||
return ret;
|
|
||||||
|
|
||||||
/* Move the memory to the new location. Might be before the old location
|
|
||||||
and overlap since the free() above includes a _consolidate(). */
|
|
||||||
memmove(ret, ptr, osize > size ? size : osize);
|
memmove(ret, ptr, osize > size ? size : osize);
|
||||||
|
|
||||||
|
/* Mark the block as used. */
|
||||||
|
use_block(block, size);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue