Fix dlmalloc horror bug - mman_map overwrites application code

2025-09-14 19:07:00 +02:00
parent e6891b39cc
commit 26ff717b50
18 changed files with 197 additions and 137 deletions
--- a/ulib/dlmalloc/dlmalloc_port.inc
+++ b/ulib/dlmalloc/dlmalloc_port.inc
@ -53,24 +53,40 @@ int INITIAL_LOCK(SpinLock *sl) {
 static MLOCK_T malloc_global_mutex = { 0 };

 #define PAGE_SIZE 0x1000
+
+static uint8_t *heap_start = (uint8_t *)NULL;
 static uint8_t *heap_end = NULL;

-void *sbrk(long inc) {
+static size_t _roundpage(size_t sz) {
+  return (sz + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
+}
+
+void *sbrk(ptrdiff_t inc) {
+  if (!heap_end) {
+    heap_end = heap_start;
+  }
+
  if (inc == 0) {
    return heap_end;
  }

-  uint8_t *new_heap_end = heap_end + inc;
-  if (new_heap_end > heap_end) {
-    size_t size = new_heap_end - heap_end;
+  uint8_t *oldh = heap_end;
+  uint8_t *newh = heap_end + inc;

-    uint8_t *out = NULL;
-    int32_t ret = mman_map(heap_end, size, MMAN_MAP_PF_RW, 0, &out);
-    if (ret != E_OK) {
+  if (inc > 0) {
+    size_t allocsz = _roundpage((size_t)(newh - oldh));
+    uint8_t *maddr = NULL;
+    int32_t ret = mman_map(NULL, allocsz, MMAN_MAP_PF_RW, 0, &maddr);
+    if (ret != E_OK || maddr == NULL) {
      return (void *)-1;
    }
-    string_memset(out, 0, size);
+    if (!heap_start) {
+      heap_start = maddr;
+    }
+    oldh = heap_end ? heap_end : maddr;
+    heap_end = oldh + allocsz;
+  } else {
+    heap_end = newh;
  }
-  heap_end = new_heap_end;
-  return (void *)heap_end;
+  return oldh;
 }