This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/22343] Integer overflow in posix_memalign
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 18 Jan 2018 16:58:51 +0000
- Subject: [Bug malloc/22343] Integer overflow in posix_memalign
- Auto-submitted: auto-generated
- References: <bug-22343-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22343
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 8e448310d74b283c5cd02b9ed7fb997b47bf9b22 (commit)
from 80647883cf5847c8b6b0197e9703eb04222496b6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22
commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22
Author: Arjun Shankar <arjun.is@lostca.se>
Date: Thu Jan 18 16:47:06 2018 +0000
Fix integer overflows in internal memalign and malloc functions [BZ #22343]
When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
and a requested size close to SIZE_MAX, it falls back to malloc code
(because the alignment of a block returned by malloc is sufficient to
satisfy the call). In this case, an integer overflow in _int_malloc leads
to posix_memalign incorrectly returning successfully.
Upon fixing this and writing a somewhat thorough regression test, it was
discovered that when posix_memalign is called with an alignment larger than
MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
close to SIZE_MAX, a different integer overflow in _int_memalign leads to
posix_memalign incorrectly returning successfully.
Both integer overflows affect other memory allocation functions that use
_int_malloc (one affected malloc in x86) or _int_memalign as well.
This commit fixes both integer overflows. In addition to this, it adds a
regression test to guard against false successful allocations by the
following memory allocation functions when called with too-large allocation
sizes and, where relevant, various valid alignments:
malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
aligned_alloc, valloc, and pvalloc.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 10 ++
malloc/Makefile | 1 +
malloc/malloc.c | 30 ++++--
malloc/tst-malloc-too-large.c | 253 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 286 insertions(+), 8 deletions(-)
create mode 100644 malloc/tst-malloc-too-large.c
--
You are receiving this mail because:
You are on the CC list for the bug.