summaryrefslogtreecommitdiff
path: root/util
diff options
context:
space:
mode:
authorYu-Ping Wu <yupingso@chromium.org>2020-09-11 14:39:03 +0800
committerHung-Te Lin <hungte@chromium.org>2020-09-13 13:40:11 +0000
commitaec3b1f7d70f2cf59cdd80c7bd1047ca54df034c (patch)
tree5de5354d734ce82395acf8db0bef0525b539aea5 /util
parent828a36e32567c9862cc8aad7209b408b8b99b01d (diff)
libpayload: malloc: Fix realloc for overlapping buffers
The current realloc() works by freeing the origin buffer, allocating a new one, and copying the data over. It's true that free() won't touch the actual memory. However, the alloc() following it will potentially modify the memory that belongs to the old buffer in order to create a new free block (right after the newly allocated block). This causes 8 bytes (HDRSIZE) to be overwritten before being copied to the new buffer. To fix the problem, we must create the header of the new free block after the data is copied. In this patch, the content of alloc() is split into two functions: 1. find_free_block(): Find a free block with large enough size, without touching the memory 2. use_block(): Update the header of the newly allocated block, and create the header of the new free block right after it Then, inside realloc(), call memmove() call right after find_free_block() while before use_block(). BUG=b:165439970 TEST=emerge-puff libpayload TEST=Puff boots TEST=Verified realloc() correctly copied data when buffers overlapped Change-Id: I9418320a26820909144890300ddfb09ec2570f43 Signed-off-by: Yu-Ping Wu <yupingso@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/45284 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
Diffstat (limited to 'util')
0 files changed, 0 insertions, 0 deletions