mm/heap: add coloration after free to detect use after free issue

Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>
pkarashchenko · Sep 11, 2023 · 36e3d32 · 36e3d32
1 parent a7d0b6c
commit 36e3d32
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/mm/mempool/mempool.c b/mm/mempool/mempool.c
@@ -273,6 +273,10 @@ FAR void *mempool_alloc(FAR struct mempool_s *pool)
         }
     }
 
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(blk, 0xaa, pool->blocksize);
+#endif
+
 #if CONFIG_MM_BACKTRACE >= 0
   mempool_add_backtrace(pool, (FAR struct mempool_backtrace_s *)
                               ((FAR char *)blk + pool->blocksize));
@@ -312,6 +316,10 @@ void mempool_free(FAR struct mempool_s *pool, FAR void *blk)
   pool->nalloc--;
 #endif
 
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(blk, 0x55, pool->blocksize);
+#endif
+
   if (pool->interruptsize > blocksize)
     {
       if ((FAR char *)blk >= pool->ibase &&

diff --git a/mm/mm_heap/mm_free.c b/mm/mm_heap/mm_free.c
@@ -104,6 +104,10 @@ void mm_free(FAR struct mm_heap_s *heap, FAR void *mem)
       return;
     }
 
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+  memset(mem, 0x55, mm_malloc_size(heap, mem));
+#endif
+
   kasan_poison(mem, mm_malloc_size(heap, mem));
 
   /* Map the memory chunk into a free node */

diff --git a/mm/tlsf/mm_tlsf.c b/mm/tlsf/mm_tlsf.c
@@ -689,6 +689,10 @@ void mm_free(FAR struct mm_heap_s *heap, FAR void *mem)
 
   if (mm_lock(heap) == 0)
     {
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+      memset(mem, 0x55, mm_malloc_size(heap, mem));
+#endif
+
       kasan_poison(mem, mm_malloc_size(heap, mem));
 
       /* Pass, return to the tlsf pool */
@@ -1064,6 +1068,10 @@ FAR void *mm_malloc(FAR struct mm_heap_s *heap, size_t size)
       memdump_backtrace(heap, buf);
 #endif
       kasan_unpoison(ret, mm_malloc_size(heap, ret));
+
+#ifdef CONFIG_MM_FILL_ALLOCATIONS
+      memset(ret, 0xaa, mm_malloc_size(heap, ret));
+#endif
     }
 
   return ret;