Open savar opened 3 years ago
I just realized, adjust_request_size() can return already 0
in case the aligned
value in adjust_request_size()
is >= block_size_max and then this might kill tlsf_realloc()
as it might call block_trim_used()
with an adjust value of 0. Not sure if this is an issue but it looks very much like it.
see: https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/
in case
tlsf_alloc
is called with0xffffffffu
on a 32bit system thealign_up()
function will set theadjusted
size to 0 and thetlfs_max()
will set it to the minimum which was in my case 12 bytes. Therefore asking TLSF for SIZE_T_MAX (0xffffffff) will not fail with returning NULL but will return a pointer to a 12 byte memory block.tlsf_alloc is kind of easy to fix, but the
_realloc
brother is less obvious. So fixing it inadjust_request_size()
isn't really working.