On 11/05/2017 01:18 PM, Nicholas Piggin wrote:
Something like the following patch may help if you could test.
The patch appears to fix it:
# /lib64/ld64.so.1 ./a.out
initial brk value: 0x7fffe4590000
probing at 0x80000001fffc
I used the follow simplified reproducer:
#include <err.h>
#include <unistd.h>
#include <inttypes.h>
#include <errno.h>
#include <stdio.h>
int
main (void)
{
errno = 0;
void *p = sbrk (0);
if (errno != 0)
err (1, "sbrk (0)");
printf ("initial brk value: %p\n", p);
unsigned long long target = 0x800000020000ULL;
if ((uintptr_t) p >= target)
errx (1, "initial brk value is already above target");
unsigned long long increment = target - (uintptr_t) p;
errno = 0;
sbrk (increment);
if (errno != 0)
err (1, "sbrk (0x%llx)", increment);
volatile int *pi = (volatile int *) (target - 4);
printf ("probing at %p\n", pi);
*pi = 1;
}
It is still probabilistic because if the increment is too large, the
second sbrk call will fail with an out of memory error (which is
expected), so you'll have to run it a couple of times.
If the test fails, the write at the will segfault.
Thanks,
Florian
