free magic is broken

free magic is broken

[Vincent Guffens]

Hi,

I have made a small test program that uses the memory management of grub2 to
manage an allocated buffer and I can reproduce the free magic is broken
problem  with it.

I have prepared a small web page with some details as it is a little bit long
to explain here. See it there if you want more information:

http://www.auto.ucl.ac.be/~guffens/grub2_netboot/free_magic_broken.html

I propose the following patch to fix this problem. This patch will modify the
mm code of grub2 only when the problem would occur in subsequent call to
grub_free:

diff -ru grub2/kern/mm.c grub2_free_magic_broken/kern/mm.c
--- grub2/kern/mm.c     2005-01-20 18:25:39.000000000 +0100
+++ grub2_free_magic_broken/kern/mm.c   2005-06-22 22:59:58.660577232 +0200
@@ -298,6 +298,10 @@
          p->next->magic = 0;
          p->size += p->next->size;
          p->next = p->next->next;
+         if (q->magic != GRUB_MM_FREE_MAGIC) {
+           r->first = p;
+           return;
+         }
        }

       if (q + q->size == p)








--
         Vincent Guffens
         UCL/CESAME  +32 10 47 80 30 
         Euler Building A017

Re: free magic is broken

[Yoshinori K. Okuji]

On Wednesday 22 June 2005 23:13, Vincent Guffens wrote:
> I have prepared a small web page with some details as it is a little bit
> long to explain here. See it there if you want more information:
>
> http://www.auto.ucl.ac.be/~guffens/grub2_netboot/free_magic_broken.html

Thank you very much for your analysis! I finally understood what's wrong, and 
checked in a fix (a bit different from yours). I guess it was very hard to 
find how to reproduce this bug.

Okuji

Re: free magic is broken

[Vincent Guffens]

Yoshinori K. Okuji wrote:
> On Wednesday 22 June 2005 23:13, Vincent Guffens wrote:
> 
>>I have prepared a small web page with some details as it is a little bit
>>long to explain here. See it there if you want more information:
>>
>>http://www.auto.ucl.ac.be/~guffens/grub2_netboot/free_magic_broken.html
> 
> 
> Thank you very much for your analysis! I finally understood what's wrong, and 
> checked in a fix (a bit different from yours). I guess it was very hard to 
> find how to reproduce this bug.
> 
> Okuji

yes, it was good fun (and a long night)! I managed to post a wrong test 
version yesterday. In the test program, this is not

grub_malloc(base->first->size*(16-1));

but

grub_malloc(base->first->size*16-16);

Although it turns out to be equivalent as far as the bug is concerned, 
in this particular example.

It is good to have that nasty one behind !



-- 
				Vincent Guffens
				PhD Student UCL/CESAME
				tel:   +32 10 47 80 30
Value your freedom, or you will lose it, teaches history.
"Don't bother us with politics," respond those who don't want to learn.
	      	-- Richard M. Stallman

Re: free magic is broken

[Marco Gerards]

"Vincent Guffens" <guffens@inma.ucl.ac.be> writes:

Hi Vincent,

> I have made a small test program that uses the memory management of grub2 to
> manage an allocated buffer and I can reproduce the free magic is broken
> problem  with it.

Wow! Nice work!  This bug has shown up before but was not easy to
reproduce.  I am happy you found a way to reproduce the bug and come
up with a fix.

Thanks,
Marco