From 1c17c7134ac8e8019a4289b160286800252bdda9 Mon Sep 17 00:00:00 2001
From: guenther <guenther@openbsd.org>
Date: Thu, 30 Jun 2022 17:15:48 +0000
Subject: [PATCH] To figure our whether a large allocation can be grown into
 the following page(s) we've been first mquery()ing for it, mmapp()ing w/o
 MAP_FIXED if available, and then munmap()ing if there was a race.  Instead,
 just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE)

tested in snaps for weeks

ok deraadt@
---
 lib/libc/stdlib/malloc.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index a7000875344..b12c89aca03 100644
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: malloc.c,v 1.273 2022/02/26 16:14:42 otto Exp $	*/
+/*	$OpenBSD: malloc.c,v 1.274 2022/06/30 17:15:48 guenther Exp $	*/
 /*
  * Copyright (c) 2008, 2010, 2011, 2016 Otto Moerbeek <otto@drijf.net>
  * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -100,9 +100,6 @@
 #define MMAPA(a,sz,f)	mmap((a), (sz), PROT_READ | PROT_WRITE, \
     MAP_ANON | MAP_PRIVATE | (f), -1, 0)
 
-#define MQUERY(a,sz,f)	mquery((a), (sz), PROT_READ | PROT_WRITE, \
-    MAP_ANON | MAP_PRIVATE | MAP_FIXED | (f), -1, 0)
-
 struct region_info {
 	void *p;		/* page; low bits used to mark chunks */
 	uintptr_t size;		/* size for pages, or chunk_info pointer */
@@ -1687,11 +1684,7 @@ orealloc(struct dir_info **argpool, void *p, size_t newsz, void *f)
 				size_t needed = rnewsz - roldsz;
 
 				STATS_INC(pool->cheap_realloc_tries);
-				q = MQUERY(hint, needed, pool->mmap_flag);
-				if (q == hint)
-					q = MMAPA(hint, needed, pool->mmap_flag);
-				else
-					q = MAP_FAILED;
+				q = MMAPA(hint, needed, MAP_FIXED | __MAP_NOREPLACE | pool->mmap_flag);
 				if (q == hint) {
 					STATS_ADD(pool->malloc_used, needed);
 					if (pool->malloc_junk == 2)
@@ -1709,9 +1702,6 @@ orealloc(struct dir_info **argpool, void *p, size_t newsz, void *f)
 					STATS_INC(pool->cheap_reallocs);
 					ret = p;
 					goto done;
-				} else if (q != MAP_FAILED) {
-					if (munmap(q, needed))
-						wrterror(pool, "munmap %p", q);
 				}
 			}
 		} else if (rnewsz < roldsz) {
-- 
2.20.1