Fix app heap corrupted unchecked issue (#788)

Check whether app heap is corrupted in gc_migrate() and gci_dump(), and handle the failures in wasm/aot_enlarge_memory().
2021-10-15 20:56:41 +08:00
parent a121e45a1e
commit 3dff80157b
7 changed files with 75 additions and 21 deletions
--- a/core/shared/mem-alloc/ems/ems_alloc.c
+++ b/core/shared/mem-alloc/ems/ems_alloc.c
@ -235,12 +235,12 @@ gci_add_fc(gc_heap_t *heap, hmu_t *hmu, gc_size_t size)
        return true;
    }

-    /* big block*/
+    /* big block */
    node = (hmu_tree_node_t *)hmu;
    node->size = size;
    node->left = node->right = node->parent = NULL;

-    /* find proper node to link this new node to*/
+    /* find proper node to link this new node to */
    root = &heap->kfc_tree_root;
    tp = root;
    bh_assert(tp->size < size);
@ -253,7 +253,7 @@ gci_add_fc(gc_heap_t *heap, hmu_t *hmu, gc_size_t size)
            }
            tp = tp->right;
        }
-        else { /* tp->size >= size*/
+        else { /* tp->size >= size */
            if (!tp->left) {
                tp->left = node;
                node->parent = tp;
@ -759,7 +759,7 @@ gci_dump(gc_heap_t *heap)
        else if (ut == HMU_FC)
            inuse = 'F';

-        if (size == 0) {
+        if (size == 0 || size > (uint8 *)end - (uint8 *)cur) {
            os_printf("[GC_ERROR]Heap is corrupted, heap dump failed.\n");
            heap->is_heap_corrupted = true;
            return;
@ -779,5 +779,8 @@ gci_dump(gc_heap_t *heap)
        i++;
    }

-    bh_assert(cur == end);
+    if (cur != end) {
+        os_printf("[GC_ERROR]Heap is corrupted, heap dump failed.\n");
+        heap->is_heap_corrupted = true;
+    }
 }
--- a/core/shared/mem-alloc/ems/ems_kfc.c
+++ b/core/shared/mem-alloc/ems/ems_kfc.c
@ -183,6 +183,11 @@ gc_migrate(gc_handle_t handle, char *pool_buf_new, gc_size_t pool_buf_size)
    if (offset == 0)
        return 0;

+    if (heap->is_heap_corrupted) {
+        os_printf("[GC_ERROR]Heap is corrupted, heap migrate failed.\n");
+        return GC_ERROR;
+    }
+
    heap->base_addr = (uint8 *)base_addr_new;
    adjust_ptr((uint8 **)&heap->kfc_tree_root.left, offset);
    adjust_ptr((uint8 **)&heap->kfc_tree_root.right, offset);
@ -193,7 +198,12 @@ gc_migrate(gc_handle_t handle, char *pool_buf_new, gc_size_t pool_buf_size)

    while (cur < end) {
        size = hmu_get_size(cur);
-        bh_assert(size > 0);
+
+        if (size <= 0 || size > (uint8 *)end - (uint8 *)cur) {
+            os_printf("[GC_ERROR]Heap is corrupted, heap migrate failed.\n");
+            heap->is_heap_corrupted = true;
+            return GC_ERROR;
+        }

        if (hmu_get_ut(cur) == HMU_FC && !HMU_IS_FC_NORMAL(size)) {
            tree_node = (hmu_tree_node_t *)cur;
@ -207,7 +217,12 @@ gc_migrate(gc_handle_t handle, char *pool_buf_new, gc_size_t pool_buf_size)
        cur = (hmu_t *)((char *)cur + size);
    }

-    bh_assert(cur == end);
+    if (cur != end) {
+        os_printf("[GC_ERROR]Heap is corrupted, heap migrate failed.\n");
+        heap->is_heap_corrupted = true;
+        return GC_ERROR;
+    }
+
    return 0;
 }