This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/22057] New: mcheck does not set the using_malloc_checking flag, so malloc_usable_size returns an invalid size
- From: "mo at mightym0 dot de" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 01 Sep 2017 00:22:14 +0000
- Subject: [Bug malloc/22057] New: mcheck does not set the using_malloc_checking flag, so malloc_usable_size returns an invalid size
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
Bug ID: 22057
Summary: mcheck does not set the using_malloc_checking flag, so
malloc_usable_size returns an invalid size
Product: glibc
Version: 2.26
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: mo at mightym0 dot de
Target Milestone: ---
The using_malloc_checking flag is only set in the __malloc_check_init function,
which is called when enabling the additional security check via the environment
variable MALLOC_CHECK_.
This happens in the ptmalloc_init function, in case check_action was set.
However, if you enable the additional checks by either linking with -lmcheck or
calling mcheck yourself, __malloc_check_init is never called, so
using_malloc_checking is never set.
When someone calls malloc_usable_size now, ultimately musable will check if
using_malloc_checking is set and call the special malloc_check_get_size
function.
Because the bit isn't set malloc_usable_size will return the value at the
normal size location which is the hdr->magic2 field now, which is set to this:
hdr->magic2 = (uintptr_t) hdr ^ MAGICWORD;
While this will be rarely used apart from debugging, this could still have some
security implications as the value is most likely bigger than the actual size
and
if used for some bounds checking could lead to an overflow.
--
You are receiving this mail because:
You are on the CC list for the bug.