1. 传统漏洞如何迁移
传统的linux的glibc有很多漏洞,但是如何迁移到rtos上?
2. 开源rtos
比如zephyr,freertos等,自己有自己实现的堆管理函数,包括alloc,free,split,merge等,每一个rtos都有自己的实现算法,如何去做到能够迁移glibc中出现的漏洞到这些rtos自身上,有什么工具或者方法吗?
zephyr的部分alloc代码
void *sys_heap_alloc(struct sys_heap *heap, size_t bytes)
{
struct z_heap *h = heap->heap;
void *mem;
if (bytes == 0U || size_too_big(h, bytes)) {
return NULL;
}
chunksz_t chunk_sz = bytes_to_chunksz(h, bytes);
chunkid_t c = alloc_chunk(h, chunk_sz);
if (c == 0U) {
return NULL;
}
/* Split off remainder if any */
if (chunk_size(h, c) > chunk_sz) {
split_chunks(h, c, c + chunk_sz);
free_list_add(h, c + chunk_sz);
}
set_chunk_used(h, c, true);
mem = chunk_mem(h, c);
#ifdef CONFIG_SYS_HEAP_RUNTIME_STATS
increase_allocated_bytes(h, chunksz_to_bytes(h, chunk_size(h, c)));
#endif
#ifdef CONFIG_SYS_HEAP_LISTENER
heap_listener_notify_alloc(HEAP_ID_FROM_POINTER(heap), mem,
chunksz_to_bytes(h, chunk_size(h, c)));
#endif
IF_ENABLED(CONFIG_MSAN, (__msan_allocated_memory(mem, bytes)));
return mem;
}
void *sys_heap_aligned_alloc(struct sys_heap *heap, size_t align, size_t bytes)
{
struct z_heap *h = heap->heap;
size_t gap, rew;
/*
* Split align and rewind values (if any).
* We allow for one bit of rewind in addition to the alignment
* value to efficiently accommodate z_heap_aligned_alloc().
* So if e.g. align = 0x28 (32 | 8) this means we align to a 32-byte
* boundary and then rewind 8 bytes.
*/
rew = align & -align;
if (align != rew) {
align -= rew;
gap = MIN(rew, chunk_header_bytes(h));
} else {
if (align <= chunk_header_bytes(h)) {
return sys_heap_alloc(heap, bytes);
}
rew = 0;
gap = chunk_header_bytes(h);
}
__ASSERT((align & (align - 1)) == 0, "align must be a power of 2");
if (bytes == 0 || size_too_big(h, bytes)) {
return NULL;
}
/*
* Find a free block that is guaranteed to fit.
* We over-allocate to account for alignment and then free
* the extra allocations afterwards.
*/
chunksz_t padded_sz = bytes_to_chunksz(h, bytes + align - gap);
chunkid_t c0 = alloc_chunk(h, padded_sz);
if (c0 == 0) {
return NULL;
}
uint8_t *mem = chunk_mem(h, c0);
/* Align allocated memory */
mem = (uint8_t *) ROUND_UP(mem + rew, align) - rew;
chunk_unit_t *end = (chunk_unit_t *) ROUND_UP(mem + bytes, CHUNK_UNIT);
/* Get corresponding chunks */
chunkid_t c = mem_to_chunkid(h, mem);
chunkid_t c_end = end - chunk_buf(h);
CHECK(c >= c0 && c < c_end && c_end <= c0 + padded_sz);
/* Split and free unused prefix */
if (c > c0) {
split_chunks(h, c0, c);
free_list_add(h, c0);
}
/* Split and free unused suffix */
if (right_chunk(h, c) > c_end) {
split_chunks(h, c, c_end);
free_list_add(h, c_end);
}
set_chunk_used(h, c, true);
#ifdef CONFIG_SYS_HEAP_RUNTIME_STATS
increase_allocated_bytes(h, chunksz_to_bytes(h, chunk_size(h, c)));
#endif
#ifdef CONFIG_SYS_HEAP_LISTENER
heap_listener_notify_alloc(HEAP_ID_FROM_POINTER(heap), mem,
chunksz_to_bytes(h, chunk_size(h, c)));
#endif
IF_ENABLED(CONFIG_MSAN, (__msan_allocated_memory(mem, bytes)));
return mem;
}
发表于 2024-5-21 14:42
