This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v3] Fix integer overflows in internal memalign and malloc functions [BZ #22343]
- From: Carlos O'Donell <carlos at redhat dot com>
- To: Arjun Shankar <arjun dot is at lostca dot se>, libc-alpha at sourceware dot org
- Cc: Paul Eggert <eggert at cs dot ucla dot edu>, Florian Weimer <fweimer at redhat dot com>
- Date: Thu, 18 Jan 2018 08:51:26 -0800
- Subject: Re: [PATCH v3] Fix integer overflows in internal memalign and malloc functions [BZ #22343]
- Authentication-results: sourceware.org; auth=none
- References: <20180118164706.GA72022@aloka.lostca.se>
On 01/18/2018 08:47 AM, Arjun Shankar wrote:
> When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
> and a requested size close to SIZE_MAX, it falls back to malloc code
> (because the alignment of a block returned by malloc is sufficient to
> satisfy the call). In this case, an integer overflow in _int_malloc leads
> to posix_memalign incorrectly returning successfully.
>
> Upon fixing this and writing a somewhat thorough regression test, it was
> discovered that when posix_memalign is called with an alignment larger than
> MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
> close to SIZE_MAX, a different integer overflow in _int_memalign leads to
> posix_memalign incorrectly returning successfully.
>
> Both integer overflows affect other memory allocation functions that use
> _int_malloc (one affected malloc in x86) or _int_memalign as well.
>
> This commit fixes both integer overflows. In addition to this, it adds a
> regression test to guard against false successful allocations by the
> following memory allocation functions when called with too-large allocation
> sizes and, where relevant, various valid alignments:
> malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
> aligned_alloc, valloc, and pvalloc.
>
> ChangeLog:
>
> 2018-01-18 Arjun Shankar <arjun@redhat.com>
>
> [BZ #22343]
> * malloc/malloc.c (checked_request2size): call REQUEST_OUT_OF_RANGE
> after padding.
> (_int_memalign): check for integer overflow before calling
> _int_malloc.
> * malloc/tst-malloc-too-large.c: New test.
> * malloc/Makefile: Add tst-malloc-too-large.
> ---
> v1 discussion: https://sourceware.org/ml/libc-alpha/2018-01/msg00133.html
> v2 discussion: https://sourceware.org/ml/libc-alpha/2018-01/msg00582.html
> v3:
> * correctly indents checked_request2size
> * removes timeout definition in tst-malloc-too-large (20 sec is default)
LGTM.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
Cheers,
Carlos.