Fix a heap corruption bug in ems realloc (#2279)

2025-02-06 06:55:07 +00:00 · 2023-06-09 22:36:00 +09:00 · 2023-06-09 22:36:00 +09:00 · 4fcc056178
commit 4fcc056178
parent 2f01cb7b7a
3 changed files with 81 additions and 0 deletions
--- a/core/shared/mem-alloc/ems/ems_alloc.c
+++ b/core/shared/mem-alloc/ems/ems_alloc.c
@ -564,6 +564,7 @@ gc_realloc_vo_internal(void *vheap, void *ptr, gc_size_t size, const char *file,
                        os_mutex_unlock(&heap->lock);
                        return NULL;
                    }
+                    hmu_mark_pinuse(hmu_next);
                }
                os_mutex_unlock(&heap->lock);
                return obj_old;
--- a/samples/mem_allocator/CMakeLists.txt
+++ b/samples/mem_allocator/CMakeLists.txt
@ -0,0 +1,22 @@
+# Copyright (C) 2023 Midokura Japan KK.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+cmake_minimum_required(VERSION 3.0)
+project(mem_allocator_create)
+
+string (TOLOWER ${CMAKE_HOST_SYSTEM_NAME} WAMR_BUILD_PLATFORM)
+if(APPLE)
+  add_definitions(-DBH_PLATFORM_DARWIN)
+endif()
+
+set(WAMR_BUILD_INTERP 1)
+set(WAMR_BUILD_LIBC_BUILTIN 0)
+
+set(WAMR_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/../..)
+include(${WAMR_ROOT_DIR}/build-scripts/runtime_lib.cmake)
+
+add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
+
+add_executable(mem_alloc_test main.c)
+
+target_link_libraries(mem_alloc_test vmlib -lm -lpthread)
--- a/samples/mem_allocator/main.c
+++ b/samples/mem_allocator/main.c
@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2023 Midokura Japan KK.  All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "mem_alloc.h"
+
+char store[1000];
+
+int
+main(int argc, char **argv)
+{
+    mem_allocator_t a = mem_allocator_create(store, sizeof(store));
+    uint8_t *p;
+    uint8_t *p2;
+
+    p = mem_allocator_malloc(a, 256);
+    printf("%p\n", p);
+    if (p == NULL) {
+        exit(1);
+    }
+    p = mem_allocator_realloc(a, p, 256 + 12);
+    printf("%p\n", p);
+    if (p == NULL) {
+        exit(1);
+    }
+
+    /*
+     * write some values to confuse the ems allocator.
+     *
+     * hmu = p + 256
+     * hmu_set_ut(hmu, HMU_FC)
+     * hmu_set_size(hmu, 256)
+     * hmu_set_free_size(hmu)
+     */
+    *(uint32_t *)(p + 256) = (1 << 30) | 0x20;
+    *(uint32_t *)(p + 256 + 12 - 4) = 12;
+
+    p2 = mem_allocator_malloc(a, 256);
+    printf("%p\n", p2);
+    if (p2 == NULL) {
+        exit(1);
+    }
+    mem_allocator_free(a, p2);
+
+    p2 = mem_allocator_malloc(a, 256);
+    printf("%p\n", p2);
+    if (p2 == NULL) {
+        exit(1);
+    }
+    mem_allocator_free(a, p2);
+
+    mem_allocator_free(a, p);
+}