malloc 中的 SIGSEGV?
谁能给出一些示例代码,使 malloc 发出 sigsegv 信号? 谷歌搜索到,堆损坏可能会导致 malloc 中的 sigsegv,但我无法理解。
多谢。
Can anyone give out some example code which will make malloc signal an sigsegv?
Googled that, heap corruption may lead to an sigsegv in malloc, but I can't understand that.
Thanks a lot.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这很有可能会导致问题,尽管可能是
free()而不是malloc()为您提供 SIGSEGV。您可能会在
malloc()中遇到崩溃:这会覆盖分配的内存之前和之后的 32 个字节,如果连续存储分配的内存(通常是案)。使用零可以最大限度地提高获得空指针访问的机会。您可以选择替代值来覆盖数据,这可能意味着大小看起来大于零(其中零大小可能会保护您免受内存访问)。
当然,这都是完全未定义的行为;您可能会在
memset()中发生崩溃,或者您可能根本不会发生崩溃。There's a decent chance this will cause problems, though it might be
free()rather thanmalloc()that gives you the SIGSEGV.You might get the crash in
malloc()with:This overwrites 32 bytes before and after the allocated memory, which is likely to corrupt any control information if it is stored contiguously will the allocated memory (which is usually the case). Using zeroes maximizes the chance that you'll get a null pointer access. You could choose an alternative value to write over the data which might means that sizes appear larger than zero (where zero sizes might protect you from memory access).
Of course, this is all completely undefined behaviour; you might get the crash in
memset(), or you might not get a crash at all.试试这个:
它的工作原理是破坏链接的空闲列表,刚刚释放的块是指向不可修改内存的成员。当
malloc尝试从此列表中出列时,会发生崩溃。它几乎肯定适用于malloc和free时间复杂度为 O(1) 的任何实现。Try this:
It works by corrupting the linked free list a just-freed block is a member of to point into non-modifiable memory. The crash happens when
mallocattempts to dequeue from this list. It's almost sure to work on any implementation wheremallocandfreeare O(1).