micahmoore/malloclab
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: micahmoore:master
Branches Tags
micahmoore:master
micahmoore:overflowcheck
...
pull from: micahmoore:overflowcheck
Branches Tags
micahmoore:master
micahmoore:overflowcheck

2 Commits
master ... overflowch

Author SHA1 Message Date
Abhishek Sathiabalan
a2cf38af17 Updated misc stuff 2022-04-14 18:31:40 -04:00
Abhishek Sathiabalan
01c2c84566 size_t overflow protection 2022-04-14 11:03:22 -04:00
1 changed files with 42 additions and 0 deletions
Show Stats Expand all files Collapse all files

42
mm-gback-implicit.c
View File

@ -161,6 +161,21 @@ int mm_init(void)
/* Extend the empty heap with a free block of CHUNKSIZE bytes */ /* Extend the empty heap with a free block of CHUNKSIZE bytes */
if (extend_heap(CHUNKSIZE) == NULL) if (extend_heap(CHUNKSIZE) == NULL)
return -1; return -1;
/*
//If the following code prints error messages you might have a size_t overflow attack
void *bug = mm_malloc(SIZE_MAX - 1);
if (bug != NULL) {
struct block *bug_blk = bug - offsetof(struct block, payload); //Change this as needed
printf("Bug Size Request: %ld\n Your code might be vulnerable to an size_t overflow attack in mm_malloc.\n", blk_size(bug_blk));
}
void *bug2 = mm_realloc(mm_malloc(2), SIZE_MAX - 1);
if (bug2 != NULL) {
struct block *bug_blk = bug2 - offsetof(struct block, payload); //Change this as needed
printf("Bug Size Request: %ld\n Your code might be vulnerable to an size_t overflow attack in mm_realloc.\n", blk_size(bug_blk));
}
*/
return 0; return 0;
} }
@ -175,11 +190,26 @@ void *mm_malloc(size_t size)
if (size == 0) if (size == 0)
return NULL; return NULL;
size_t original_size = size;
/* Adjust block size to include overhead and alignment reqs. */ /* Adjust block size to include overhead and alignment reqs. */
size += 2 * sizeof(struct boundary_tag); /* account for tags */ size += 2 * sizeof(struct boundary_tag); /* account for tags */
/* Adjusted block size in words */ /* Adjusted block size in words */
size_t awords = max(MIN_BLOCK_SIZE_WORDS, align(size)/WSIZE); /* respect minimum size */ size_t awords = max(MIN_BLOCK_SIZE_WORDS, align(size)/WSIZE); /* respect minimum size */
/*Overflow check:
The only time that this can occur is when align(size + overhead) exceeds the maximum value
of a size_t of SIZE_MAX (limits.h).
To test this code run:
void *bug = mm_malloc(SIZE_MAX - 1);
if (bug != NULL) {
struct block *bug_blk = bug - offsetof(struct block, payload); //You might need to change this depending on your block struct
printf("Bug Size Request: %ld\n Your code might be vulnerable to an size_t overflow attack in mm_malloc.\n", blk_size(bug_blk));
}
*/
if (awords * WSIZE < original_size) {
return NULL;
}
/* Search the free list for a fit */ /* Search the free list for a fit */
if ((bp = find_fit(awords)) != NULL) { if ((bp = find_fit(awords)) != NULL) {
place(bp, awords); place(bp, awords);
@ -261,6 +291,18 @@ void *mm_realloc(void *ptr, size_t size)
return mm_malloc(size); return mm_malloc(size);
} }
/*WARNING: This code currently uses the overflow protection in mm_malloc.
Manuallly optimizing your code without checking for an size_t overflow
would leave your code vulnerable to an size_t-overflow attack.
To test this run something like this:
void *bug2 = mm_realloc(mm_malloc(2), SIZE_MAX - 1);
if (bug2 != NULL) {
struct block *bug_blk = bug2 - offsetof(struct block, payload); //You might need to changeg this accordingly
printf("Bug Size Request: %ld\n Your code might be vulnerable to an size_t overflow attack in mm_realloc.\n", blk_size(bug_blk));
}
*/
void *newptr = mm_malloc(size); void *newptr = mm_malloc(size);
/* If realloc() fails the original block is left untouched */ /* If realloc() fails the original block is left untouched */