This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

GNU C Library master sources branch master updated. glibc-2.18-346-ga56ee40

From: willnewton at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 30 Oct 2013 21:46:31 -0000
Subject: GNU C Library master sources branch master updated. glibc-2.18-346-ga56ee40

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd (commit)
      from  c6e4925d4069d38843c02994ffd284e8c87c8929 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd

commit a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd
Author: Will Newton <will.newton@linaro.org>
Date:   Thu Oct 10 13:17:13 2013 +0100

    malloc: Fix for infinite loop in memalign/posix_memalign.
    
    A very large alignment argument passed to mealign/posix_memalign
    causes _int_memalign to enter an infinite loop. Limit the maximum
    alignment value to the maximum representable power of two to
    prevent this from happening.
    
    Changelog:
    
    2013-10-30  Will Newton  <will.newton@linaro.org>
    
    	[BZ #16038]
    	* malloc/hooks.c (memalign_check): Limit alignment to the
    	maximum representable power of two.
    	* malloc/malloc.c (__libc_memalign): Likewise.
    	* malloc/tst-memalign.c (do_test): Add test for very
    	large alignment values.
    	* malloc/tst-posix_memalign.c (do_test): Likewise.

diff --git a/ChangeLog b/ChangeLog
index 4444868..4d7a951 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2013-10-30  Will Newton  <will.newton@linaro.org>
+
+	[BZ #16038]
+	* malloc/hooks.c (memalign_check): Limit alignment to the
+	maximum representable power of two.
+	* malloc/malloc.c (__libc_memalign): Likewise.
+	* malloc/tst-memalign.c (do_test): Add test for very
+	large alignment values.
+	* malloc/tst-posix_memalign.c (do_test): Likewise.
+
 2013-10-30  OndÅ?ej BÃlka  <neleai@seznam.cz>
 
 	[BZ #11087]
diff --git a/malloc/hooks.c b/malloc/hooks.c
index 3f663bb..1dbe93f 100644
--- a/malloc/hooks.c
+++ b/malloc/hooks.c
@@ -361,6 +361,14 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
   if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
+     power of 2 and will cause overflow in the check below.  */
+  if (alignment > SIZE_MAX / 2 + 1)
+    {
+      __set_errno (EINVAL);
+      return 0;
+    }
+
   /* Check for overflow.  */
   if (bytes > SIZE_MAX - alignment - MINSIZE)
     {
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 79025b1..29796fe 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3016,6 +3016,14 @@ __libc_memalign(size_t alignment, size_t bytes)
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
+     power of 2 and will cause overflow in the check below.  */
+  if (alignment > SIZE_MAX / 2 + 1)
+    {
+      __set_errno (EINVAL);
+      return 0;
+    }
+
   /* Check for overflow.  */
   if (bytes > SIZE_MAX - alignment - MINSIZE)
     {
diff --git a/malloc/tst-memalign.c b/malloc/tst-memalign.c
index 1c59752..cf48e7e 100644
--- a/malloc/tst-memalign.c
+++ b/malloc/tst-memalign.c
@@ -70,6 +70,21 @@ do_test (void)
 
   free (p);
 
+  errno = 0;
+
+  /* Test to expose integer overflow in malloc internals from BZ #16038.  */
+  p = memalign (-1, pagesize);
+
+  save = errno;
+
+  if (p != NULL)
+    merror ("memalign (-1, pagesize) succeeded.");
+
+  if (p == NULL && save != EINVAL)
+    merror ("memalign (-1, pagesize) errno is not set correctly");
+
+  free (p);
+
   /* A zero-sized allocation should succeed with glibc, returning a
      non-NULL value.  */
   p = memalign (sizeof (void *), 0);
diff --git a/malloc/tst-posix_memalign.c b/malloc/tst-posix_memalign.c
index 27c0dd2..7f34e37 100644
--- a/malloc/tst-posix_memalign.c
+++ b/malloc/tst-posix_memalign.c
@@ -65,6 +65,16 @@ do_test (void)
 
   p = NULL;
 
+  /* Test to expose integer overflow in malloc internals from BZ #16038.  */
+  ret = posix_memalign (&p, -1, pagesize);
+
+  if (ret != EINVAL)
+    merror ("posix_memalign (&p, -1, pagesize) succeeded.");
+
+  free (p);
+
+  p = NULL;
+
   /* A zero-sized allocation should succeed with glibc, returning zero
      and setting p to a non-NULL value.  */
   ret = posix_memalign (&p, sizeof (void *), 0);

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                   |   10 ++++++++++
 malloc/hooks.c              |    8 ++++++++
 malloc/malloc.c             |    8 ++++++++
 malloc/tst-memalign.c       |   15 +++++++++++++++
 malloc/tst-posix_memalign.c |   10 ++++++++++
 5 files changed, 51 insertions(+), 0 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]