mm/heap: add coloration after free to detect use after free issue

Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
2023-09-05 13:44:14 +08:00 · 2023-09-05 13:44:14 +08:00 · 36e3d32740
commit 36e3d32740
parent a7d0b6c120
3 changed files with 20 additions and 0 deletions
--- a/mm/mempool/mempool.c
+++ b/mm/mempool/mempool.c
@ -273,6 +273,10 @@ retry:
        }
    }

+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(blk, 0xaa, pool->blocksize);
+#endif
+
 #if CONFIG_MM_BACKTRACE >= 0
  mempool_add_backtrace(pool, (FAR struct mempool_backtrace_s *)
                              ((FAR char *)blk + pool->blocksize));
@ -312,6 +316,10 @@ void mempool_free(FAR struct mempool_s *pool, FAR void *blk)
  pool->nalloc--;
 #endif

+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(blk, 0x55, pool->blocksize);
+#endif
+
  if (pool->interruptsize > blocksize)
    {
      if ((FAR char *)blk >= pool->ibase &&
--- a/mm/mm_heap/mm_free.c
+++ b/mm/mm_heap/mm_free.c
@ -104,6 +104,10 @@ void mm_free(FAR struct mm_heap_s *heap, FAR void *mem)
      return;
    }

+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(mem, 0x55, mm_malloc_size(heap, mem));
+#endif
+
  kasan_poison(mem, mm_malloc_size(heap, mem));

  /* Map the memory chunk into a free node */
--- a/mm/tlsf/mm_tlsf.c
+++ b/mm/tlsf/mm_tlsf.c
@ -689,6 +689,10 @@ void mm_free(FAR struct mm_heap_s *heap, FAR void *mem)

  if (mm_lock(heap) == 0)
    {
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+      memset(mem, 0x55, mm_malloc_size(heap, mem));
+#endif
+
      kasan_poison(mem, mm_malloc_size(heap, mem));

      /* Pass, return to the tlsf pool */
@ -1064,6 +1068,10 @@ FAR void *mm_malloc(FAR struct mm_heap_s *heap, size_t size)
      memdump_backtrace(heap, buf);
 #endif
      kasan_unpoison(ret, mm_malloc_size(heap, ret));
+
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+      memset(ret, 0xaa, mm_malloc_size(heap, ret));
+#endif
    }

  return ret;