Kwonsk, Thanks for reporting this, it looks like you are correct and I have opened a PR against this here https://github.com/apache/incubator-nuttx/pull/1316
If you are able to test it that would be great. We can also make sure this gets into the 9.1 release. --Brennan On Wed, Jun 24, 2020, 1:02 AM <kwo...@kmd.co.kr> wrote: > Hi, > > During the test, I've got a system crash (hardfault) when running os_test. > > After debugging with jtag+gdb, I found that crash occurred at > > line 283 of mm_realloc() (mm_realloc.c). > > > > Hardfault cause was "accessing invalid memory area". > > This is because realloc logic uses new size (not the original size) when > copying > > data to new target. > > For example, original size is 32 and realloc 1024, then current logic > > will try 1024 memcpy and this try crosses the end of valid memory and > produce memory faults. > > (or just grap other processes memory if it is valid memory area). > > > > Simple code reordering should fix this issue (line 273 - 283). > > > > ================ > > From > > > > /* Now we want to return newnode */ > > oldnode = newnode; > oldsize = newnode->size; > > /* Now we have to move the user contents 'down' in memory. memcpy > * should be safe for this. > */ > > newmem = (FAR void *)((FAR char *)newnode + SIZEOF_MM_ALLOCNODE); > memcpy(newmem, oldmem, oldsize - SIZEOF_MM_ALLOCNODE); > > > > To > > > /* Now we have to move the user contents 'down' in memory. memcpy > * should be safe for this. > */ > > newmem = (FAR void *)((FAR char *)newnode + SIZEOF_MM_ALLOCNODE); > memcpy(newmem, oldmem, oldsize - SIZEOF_MM_ALLOCNODE); > > > > /* Now we want to return newnode */ > > oldnode = newnode; > oldsize = newnode->size; > > ================ > > > > That means use orignal size (oldsize) when memcpy. > > > > Thansk > > > > Kwonsk > > > >
