[PATCH 1/2] test: self: malloc: fix double free after expect_alloc_fail

[PATCH 1/2] test: self: malloc: fix double free after expect_alloc_fail

[Ahmad Fatoum]

If the realloc call unexpectedly succeeds, the p pointer is invalidated,
but it's free'd unconditionally later on, which triggers a
user-after-free.

Account for this by zeroing p when it becomes stale.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/self/malloc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/self/malloc.c b/test/self/malloc.c
index 52f9fc344c1a..a60e95b2233f 100644
--- a/test/self/malloc.c
+++ b/test/self/malloc.c
@@ -109,9 +109,15 @@ static void test_malloc(void)
 
 	if (mem_malloc_size) {
 		tmp = expect_alloc_fail(realloc(p, mem_malloc_size));
+		if (tmp)
+			p = NULL;
+
 		free(tmp);
 
 		tmp = expect_alloc_fail(realloc(p, RELOC_HIDE(MALLOC_MAX_SIZE, -1)));
+		if (tmp)
+			p = NULL;
+
 		free(tmp);
 	} else {
 		skipped_tests += 2;
-- 
2.47.3

[PATCH 2/2] test: self: malloc: fix false positive when malloc store is registered

[Ahmad Fatoum]

If malloc_register_store has been called, a malloc of the total size of
the current malloc area may still succeed, because it requests a buffer
from the external store.

Adapt the test to account for this.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/tlsf_malloc.c |  5 +++++
 include/malloc.h     |  3 +++
 test/self/malloc.c   | 16 ++++++++++++----
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/common/tlsf_malloc.c b/common/tlsf_malloc.c
index 9d55014117f0..7de39ebeef09 100644
--- a/common/tlsf_malloc.c
+++ b/common/tlsf_malloc.c
@@ -147,3 +147,8 @@ void malloc_register_store(void (*cb)(size_t bytes))
 	malloc_request_store = cb;
 	tlsf_register_store(tlsf_mem_pool, tlsf_request_store);
 }
+
+bool malloc_store_is_registered(void)
+{
+	return malloc_request_store;
+}
diff --git a/include/malloc.h b/include/malloc.h
index 69ff23b4a058..81ab0f457b01 100644
--- a/include/malloc.h
+++ b/include/malloc.h
@@ -24,6 +24,9 @@
 #ifdef CONFIG_MALLOC_TLSF
 void *malloc_add_pool(void *mem, size_t bytes);
 void malloc_register_store(void (*cb)(size_t bytes));
+bool malloc_store_is_registered(void);
+#else
+static inline bool malloc_store_is_registered(void) { return false; }
 #endif
 
 #if IN_PROPER
diff --git a/test/self/malloc.c b/test/self/malloc.c
index a60e95b2233f..cf307158fb7e 100644
--- a/test/self/malloc.c
+++ b/test/self/malloc.c
@@ -67,6 +67,7 @@ static void *__expect(void *ptr, bool expect,
 static void test_malloc(void)
 {
 	size_t mem_malloc_size = mem_malloc_end() - mem_malloc_start();
+	bool have_overcommit = false;
 	u8 *p, *tmp;
 
 	pr_debug("mem_malloc_size = %zu\n", mem_malloc_size);
@@ -78,7 +79,7 @@ static void test_malloc(void)
 	 */
 	if (IS_ENABLED(CONFIG_MALLOC_LIBC)) {
 		pr_info("built with host libc allocator: Skipping tests that may trigger overcommit\n");
-		mem_malloc_size = 0;
+		have_overcommit = true;
 	}
 
 	p = expect_alloc_ok(malloc(1));
@@ -90,7 +91,7 @@ static void test_malloc(void)
 	p = expect_alloc_fail(malloc(RELOC_HIDE(MALLOC_MAX_SIZE, 1)));
 	free(p);
 
-	if (mem_malloc_size) {
+	if (!have_overcommit) {
 		tmp = expect_alloc_fail(malloc(RELOC_HIDE(MALLOC_MAX_SIZE, -1)));
 		free(tmp);
 	} else {
@@ -108,19 +109,26 @@ static void test_malloc(void)
 	__expect_cond(*p == 0x42, true, "reread after realloc", __func__, __LINE__);
 
 	if (mem_malloc_size) {
-		tmp = expect_alloc_fail(realloc(p, mem_malloc_size));
+		tmp = realloc(p, mem_malloc_size);
+		if (!malloc_store_is_registered())
+			__expect_cond(tmp, false, "realloc of mem_malloc_size", __func__, __LINE__);
+
 		if (tmp)
 			p = NULL;
 
 		free(tmp);
+	} else {
+		skipped_tests++;
+	}
 
+	if (!have_overcommit) {
 		tmp = expect_alloc_fail(realloc(p, RELOC_HIDE(MALLOC_MAX_SIZE, -1)));
 		if (tmp)
 			p = NULL;
 
 		free(tmp);
 	} else {
-		skipped_tests += 2;
+		skipped_tests++;
 	}
 
 	free(p);
-- 
2.47.3

Re: [PATCH 1/2] test: self: malloc: fix double free after expect_alloc_fail

[Sascha Hauer]

On Tue, 21 Oct 2025 16:54:13 +0200, Ahmad Fatoum wrote:
> If the realloc call unexpectedly succeeds, the p pointer is invalidated,
> but it's free'd unconditionally later on, which triggers a
> user-after-free.
> 
> Account for this by zeroing p when it becomes stale.
> 
> 
> [...]

Applied, thanks!

[1/2] test: self: malloc: fix double free after expect_alloc_fail
      https://git.pengutronix.de/cgit/barebox/commit/?id=745c925fa79e (link may not be stable)
[2/2] test: self: malloc: fix false positive when malloc store is registered
      https://git.pengutronix.de/cgit/barebox/commit/?id=e11c2f618876 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>