This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ #22375]

From: Siddhesh Poyarekar <siddhesh at gotplt dot org>
To: Arjun Shankar <arjun dot is at lostca dot se>, libc-alpha at sourceware dot org
Date: Tue, 7 Nov 2017 11:57:20 +0530
Subject: Re: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ #22375]
Authentication-results: sourceware.org; auth=none
References: <20171106163248.GA48861@aloka.lostca.se>

On Monday 06 November 2017 10:02 PM, Arjun Shankar wrote:
> When the per-thread cache is enabled, __libc_malloc uses request2size (which
> does not perform an overflow check) to calculate the chunk size from the
> requested allocation size. This leads to an integer overflow causing malloc
> to incorrectly return the last successfully allocated block when called with
> a very large size argument (close to SIZE_MAX) instead of returning NULL and
> setting errno to ENOMEM.

That sounds CVE-worthy.

Siddhesh

References:
- [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ #22375]
  - From: Arjun Shankar

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]