mm/mm-heap: memalign: fix heap corruption caused by using unaligned chuck size. Unaligned nodes generated by memalign later cause heap corruptions when nodes are shrink further (for example, 24 bytes -> 8 bytes, when alignment is 16 bytes).

2017-10-24 11:35:40 -06:00 · 2017-10-24 11:35:40 -06:00 · 75b53d563b
commit 75b53d563b
parent 70c59a9d91
2 changed files with 10 additions and 4 deletions
--- a/mm/mm_heap/mm_memalign.c
+++ b/mm/mm_heap/mm_memalign.c
@ -189,16 +189,20 @@ FAR void *mm_memalign(FAR struct mm_heap_s *heap, size_t alignment,
      node = newnode;
    }

-  /* Check if there is free space at the end of the aligned chunk */
+  /* Check if there is free space at the end of the aligned chunk. Convert
+   * malloc-compatible chunk size to include SIZEOF_MM_ALLOCNODE as needed
+   * for mm_shrinkchunk.
+   */
+
+  size = MM_ALIGN_UP(size + SIZEOF_MM_ALLOCNODE);

  if (allocsize > size)
    {
      /* Shrink the chunk by that much -- remember, mm_shrinkchunk wants
-       * internal chunk sizes that include SIZEOF_MM_ALLOCNODE, and not the
-       * malloc-compatible sizes that we have.
+       * internal chunk sizes that include SIZEOF_MM_ALLOCNODE.
       */

-      mm_shrinkchunk(heap, node, size + SIZEOF_MM_ALLOCNODE);
+      mm_shrinkchunk(heap, node, size);
    }

  mm_givesemaphore(heap);
--- a/mm/mm_heap/mm_shrinkchunk.c
+++ b/mm/mm_heap/mm_shrinkchunk.c
@ -67,6 +67,8 @@ void  mm_shrinkchunk(FAR struct mm_heap_s *heap,
 {
  FAR struct mm_freenode_s *next;

+  DEBUGASSERT((size & MM_GRAN_MASK) == 0);
+
  /* Get a reference to the next node */

  next = (FAR struct mm_freenode_s *)((FAR char *)node + node->size);