Bug 23060 - posix_memalign() crash with alignment = 0x20 and sizes from (SIZE_MAX - 0x60) to (SIZE_MAX - 0x40)
Summary: posix_memalign() crash with alignment = 0x20 and sizes from (SIZE_MAX - 0x60)...
Status: RESOLVED DUPLICATE of bug 22343
Alias: None
Product: glibc
Classification: Unclassified
Component: malloc (show other bugs)
Version: 2.24
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-13 15:26 UTC by Gabriel Ganne
Modified: 2018-04-18 12:26 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments
posix_memalign() test (199 bytes, text/x-csrc)
2018-04-13 15:26 UTC, Gabriel Ganne
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriel Ganne 2018-04-13 15:26:12 UTC
Created attachment 10948 [details]
posix_memalign() test

Hi,

$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Debian GLIBC 2.24-11+deb9u3) stable release version 2.24, by Roland McGrath et al.

when called with unreasonably huge values (0xffffffffffffffa0 -> 0xffffffffffffffbf) and an alignment of 32, posix_memalign() crashes :
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7a6e42a in __GI_abort () at abort.c:89
#2  0x00007ffff7aaac00 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff7b9fd98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7ab0fc6 in malloc_printerr (action=3, str=0x7ffff7b9fea8 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4  0x00007ffff7ab180e in _int_free (av=av@entry=0x7ffff7dd3b00 <main_arena>, p=0x555555756000, have_lock=have_lock@entry=1) at malloc.c:3905
#5  0x00007ffff7ab39e5 in _int_memalign (av=av@entry=0x7ffff7dd3b00 <main_arena>, alignment=alignment@entry=32, bytes=bytes@entry=18446744073709551551) at malloc.c:4497
#6  0x00007ffff7ab535f in _mid_memalign (alignment=32, bytes=18446744073709551551, address=<optimized out>) at malloc.c:3158
#7  0x00007ffff7ab6fef in __posix_memalign (memptr=0x7fffffffe0d0, alignment=<optimized out>, size=<optimized out>) at malloc.c:5071
#8  0x0000555555554778 in main ()

I believe that the overflow test within _mid_memalign() is not complete, and should test for (bytes > SIZE_MAX - alignment - 2 * MINSIZE) // twice MINSIZE

Otherwise, when calling _int_memalign() a few lines below, we consecutively have :
m = (char *) (_int_malloc (av, size + alignment + MINSIZE)); // + 32 + 32
brk = (char *) mem2chunk (((unsigned long) (m + alignment - 1)) & - ((signed long) alignment)); // shifting with MINSIZE=32 again

The patch would simply be:
--- ./malloc/malloc.c.orig
+++ ./malloc/malloc.c
@@ -3137,7 +3137,7 @@
     }

   /* Check for overflow.  */
-  if (bytes > SIZE_MAX - alignment - MINSIZE)
+  if (bytes > SIZE_MAX - alignment - 2 * MINSIZE)
     {
       __set_errno (ENOMEM);
       return 0;
Comment 1 Carlos O'Donell 2018-04-18 03:59:39 UTC
I might expect this is fixed by this:

commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22
Author: Arjun Shankar <arjun.is@lostca.se>
Date:   Thu Jan 18 16:47:06 2018 +0000

    Fix integer overflows in internal memalign and malloc functions [BZ #22343]


Are you able to test on master?
Comment 2 Gabriel Ganne 2018-04-18 06:54:37 UTC
(In reply to Carlos O'Donell from comment #1)
> I might expect this is fixed by this:
> 
> commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22
> Author: Arjun Shankar <arjun.is@lostca.se>
> Date:   Thu Jan 18 16:47:06 2018 +0000
> 
>     Fix integer overflows in internal memalign and malloc functions [BZ
> #22343]
> 
> 
> Are you able to test on master?

You're right, it does.
I'm sorry, I had not seen it.
Thanks
Comment 3 Florian Weimer 2018-04-18 12:26:23 UTC
Marking as duplicate per comment 1 and comment 2.

*** This bug has been marked as a duplicate of bug 22343 ***