This is the mail archive of the
elfutils-devel@sourceware.org
mailing list for the elfutils project.
Re: Bugzilla component missing and another (minor) fuzzing-related bug report
- From: Mark Wielaard <mjw at redhat dot com>
- To: elfutils-devel at lists dot fedorahosted dot org
- Date: Mon, 19 Oct 2015 10:01:08 +0200
- Subject: Re: Bugzilla component missing and another (minor) fuzzing-related bug report
On Mon, 2015-10-19 at 03:50 +0300, Alexander Cherepanov wrote:
> On 2015-06-24 11:14, Mark Wielaard wrote:
> > But in this case as far as I know these kind of malloc argument checks
> > are indeed just noise. We do check the results of malloc everywhere
> > (or should at least). I might be wrong of course, or miss something
> > subtle. So please do let me know if you think it is something to fix
> > differently from how we handle it currently.
>
> gcc doesn't support objects more than half the address space in size --
> https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67999 . So if you are
> malloc'ing >2GB on 32-bit platforms you should be concerned.
Urgh. So malloc might return a memory object larger than PTRDIFF_MAX?
I had indeed assumed something like that couldn't happen. It makes the
size calculations and/or indexing into such a memory object afterwards a
little tricky I believe. Since pointer + something > PTRDIFF_MAX seems
not well defined. hmmmm.
I think it makes sense to raise this as a bug against glibc.
And we probably do have to audit all such suspicious mallocs to make
sure we aren't actually doing any pointer calculations using the size
(or just reject any allocation > PTRDIFF_MAX).
Thanks,
Mark