This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/23060] New: posix_memalign() crash with alignment = 0x20 and sizes from (SIZE_MAX - 0x60) to (SIZE_MAX - 0x40)
- From: "gabriel.ganne at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 13 Apr 2018 15:26:12 +0000
- Subject: [Bug libc/23060] New: posix_memalign() crash with alignment = 0x20 and sizes from (SIZE_MAX - 0x60) to (SIZE_MAX - 0x40)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=23060
Bug ID: 23060
Summary: posix_memalign() crash with alignment = 0x20 and sizes
from (SIZE_MAX - 0x60) to (SIZE_MAX - 0x40)
Product: glibc
Version: 2.24
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: gabriel.ganne at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 10948
--> https://sourceware.org/bugzilla/attachment.cgi?id=10948&action=edit
posix_memalign() test
Hi,
$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Debian GLIBC 2.24-11+deb9u3) stable release version 2.24, by
Roland McGrath et al.
when called with unreasonably huge values (0xffffffffffffffa0 ->
0xffffffffffffffbf) and an alignment of 32, posix_memalign() crashes :
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7a6e42a in __GI_abort () at abort.c:89
#2 0x00007ffff7aaac00 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7ffff7b9fd98 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7ab0fc6 in malloc_printerr (action=3, str=0x7ffff7b9fea8
"free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=<optimized
out>) at malloc.c:5049
#4 0x00007ffff7ab180e in _int_free (av=av@entry=0x7ffff7dd3b00 <main_arena>,
p=0x555555756000, have_lock=have_lock@entry=1) at malloc.c:3905
#5 0x00007ffff7ab39e5 in _int_memalign (av=av@entry=0x7ffff7dd3b00
<main_arena>, alignment=alignment@entry=32,
bytes=bytes@entry=18446744073709551551) at malloc.c:4497
#6 0x00007ffff7ab535f in _mid_memalign (alignment=32,
bytes=18446744073709551551, address=<optimized out>) at malloc.c:3158
#7 0x00007ffff7ab6fef in __posix_memalign (memptr=0x7fffffffe0d0,
alignment=<optimized out>, size=<optimized out>) at malloc.c:5071
#8 0x0000555555554778 in main ()
I believe that the overflow test within _mid_memalign() is not complete, and
should test for (bytes > SIZE_MAX - alignment - 2 * MINSIZE) // twice MINSIZE
Otherwise, when calling _int_memalign() a few lines below, we consecutively
have :
m = (char *) (_int_malloc (av, size + alignment + MINSIZE)); // + 32 + 32
brk = (char *) mem2chunk (((unsigned long) (m + alignment - 1)) & - ((signed
long) alignment)); // shifting with MINSIZE=32 again
The patch would simply be:
--- ./malloc/malloc.c.orig
+++ ./malloc/malloc.c
@@ -3137,7 +3137,7 @@
}
/* Check for overflow. */
- if (bytes > SIZE_MAX - alignment - MINSIZE)
+ if (bytes > SIZE_MAX - alignment - 2 * MINSIZE)
{
__set_errno (ENOMEM);
return 0;
--
You are receiving this mail because:
You are on the CC list for the bug.