From ba3185d8a4f0a56804d3b1ff24e596096f06a37c Mon Sep 17 00:00:00 2001 From: Gabriel Corona Date: Fri, 25 Apr 2014 10:05:10 +0200 Subject: [PATCH] [mmalloc] Use mremap to expand heaps (heap collision prevention) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit mremap() will fail instead of overwriting an existing memory mapping : the first heap could silently overflow on the second one. --- src/xbt/mmalloc/mmorecore.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/xbt/mmalloc/mmorecore.c b/src/xbt/mmalloc/mmorecore.c index 9fbf7a9704..f47c53995d 100644 --- a/src/xbt/mmalloc/mmorecore.c +++ b/src/xbt/mmalloc/mmorecore.c @@ -109,9 +109,14 @@ void *mmorecore(struct mdesc *mdp, ssize_t size) /* Let's call mmap. Note that it is possible that mdp->top is 0. In this case mmap will choose the address for us */ - mapto = mmap(mdp->top, mapbytes, PROT_READ | PROT_WRITE, + if(mdp->base==mdp->top) + mapto = mmap(mdp->top, mapbytes, PROT_READ | PROT_WRITE, MAP_PRIVATE_OR_SHARED(mdp) | MAP_IS_ANONYMOUS(mdp) | MAP_FIXED, MAP_ANON_OR_FD(mdp), foffset); + else { + size_t old_size = (char*)mdp->top - (char*)mdp->base; + mapto = mremap(mdp->base, old_size, old_size+size, 0); + } if (mapto == (void *) -1/* That's MAP_FAILED */) { char buff[1024]; @@ -124,9 +129,6 @@ void *mmorecore(struct mdesc *mdp, ssize_t size) abort(); } - if (mdp->top == 0) - mdp->base = mdp->breakval = mapto; - mdp->top = PAGE_ALIGN((char *) mdp->breakval + size); result = (void *) mdp->breakval; mdp->breakval = (char *) mdp->breakval + size; -- 2.20.1