This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ #22375]
- From: Siddhesh Poyarekar <siddhesh at gotplt dot org>
- To: Arjun Shankar <arjun dot is at lostca dot se>, libc-alpha at sourceware dot org
- Date: Tue, 7 Nov 2017 11:57:20 +0530
- Subject: Re: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ #22375]
- Authentication-results: sourceware.org; auth=none
- References: <20171106163248.GA48861@aloka.lostca.se>
On Monday 06 November 2017 10:02 PM, Arjun Shankar wrote:
> When the per-thread cache is enabled, __libc_malloc uses request2size (which
> does not perform an overflow check) to calculate the chunk size from the
> requested allocation size. This leads to an integer overflow causing malloc
> to incorrectly return the last successfully allocated block when called with
> a very large size argument (close to SIZE_MAX) instead of returning NULL and
> setting errno to ENOMEM.
That sounds CVE-worthy.
Siddhesh