Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflow in deallocation #85

Open
ede1998 opened this issue Dec 15, 2024 · 0 comments
Open

Integer overflow in deallocation #85

ede1998 opened this issue Dec 15, 2024 · 0 comments

Comments

@ede1998
Copy link

ede1998 commented Dec 15, 2024

Thanks for this crate!
I tried to find the size of my PSRAM by simply allocating large amounts of data with a Vec and stumbled upon an integer overflow:
When trying to free an allocation with size 1048572 and alignment 4, my program panicked at https://github.com/rust-osdev/linked-list-allocator/tree/main/src/hole.rs#L617

I added a few panics to see some variable and argument values. The panic happens with this addition arguments: 1048572 += 4294967295 where the right-hand side is usize::MAX for this architecture.

I tried on the latest release 0.10.5 first but could also reproduce on the latest main commit

Minimized example:
https://github.com/ede1998/ireplay/blob/86e2f72509eaf308c133086e1daa133819e68852/src/bin/psram.rs

I tried to reduce the case even further by writing a test in this crate but could not reproduce it that way even though I compiled and ran it with 32bit x86 instead of 64 bit to ensure that usize::MAX is the same. As far as I could tell, there should be no significant difference between my minimized example and the test in terms of code: Both init an arena of the same size and then allocate and deallocate the same number of bytes with the same alignment.

Command CARGO_TARGET_I686_UNKNOWN_LINUX_GNU_LINKER=$( nix eval --raw --impure --expr 'let pkgs = import {}; in "${pkgs.pkgsi686Linux.stdenv.cc}/bin/${pkgs.pkgsi686Linux.stdenv.cc.targetPrefix}cc"');

cargo test --target=i686-unknown-linux-gnu large_deallocation

#[test]
fn large_deallocation() {
    // static mut ARENA: [MaybeUninit<u8>; 3_000_000] = [MaybeUninit::uninit(); 3_000_000];
    // let mut heap = Heap::from_slice(unsafe { &mut ARENA });
    static mut ARENA: [u8; 3_000_000] = [0; 3_000_000];
    let mut heap = Heap::empty();
    unsafe {
        heap.init(ARENA.as_mut_ptr(), 2097152);
    }
    let layout = Layout::from_size_align(1048572, 4).unwrap();
    let data = heap
        .allocate_first_fit(layout)
        .expect("Succesful allocation");
    unsafe {
        heap.deallocate(data, layout);
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ede1998