Bug 23741 - Missing __attribute_alloc_size__ in many allocation functions
Summary: Missing __attribute_alloc_size__ in many allocation functions
Alias: None
Product: glibc
Classification: Unclassified
Component: malloc (show other bugs)
Version: unspecified
: P2 enhancement
Target Milestone: 2.30
Assignee: Adhemerval Zanella
Depends on:
Reported: 2018-10-05 15:02 UTC by Cristian Rodríguez
Modified: 2019-04-18 22:34 UTC (History)
1 user (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Cristian Rodríguez 2018-10-05 15:02:40 UTC
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

int main(void)
    void *f = malloc(SIZE_MAX);
        return 1; 
    return 0; 

If you compile any code that uses *alloc functions with -fno-builtin or -fno-builtin-malloc you will not get useful warnings from GCC like

c.c:11:15: warning: argument 1 value ‘18446744073709551615’ exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]

This happens because stdlib.h / malloc.h lacks of
__attribute_alloc_size__ annocations for functions malloc, calloc, realloc, reallocarray.
Comment 1 Adhemerval Zanella 2018-10-18 14:37:36 UTC
It has been discussed how to handle objects larger than PTRDIFF_MAX on GCC PR#67999 [1] and I think the issue is now glibc *does* allow such objects.

We do use on C11 aligned_alloc, but my guess is to enforce size is multiple than alignment instead of enforcing object size are no larger than PTRDIFF_MAX.

It seems that some *very* specific programs does allocate objects larger PTRDIFF_MAX, as indicated by Florian in GCC PR, but I also see that current GCC support for such objects is sketchy to say at least and others libc are moving to not allow it.

So I think before adding such annotation we need discuss whether we want to allow such kind of allocation on malloc and mmap functions. I will bring this on discussion at libc-alpha.

[1] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
Comment 2 Sourceware Commits 2019-04-18 22:29:48 UTC
The master branch has been updated by Adhemerval Zanella <azanella@sourceware.org>:


commit 9bf8e29ca136094f73f69f725f15c51facc97206
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Tue Dec 18 16:30:56 2018 -0200

    malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
    As discussed previously on libc-alpha [1], this patch follows up the idea
    and add both the __attribute_alloc_size__ on malloc functions (malloc,
    calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
    maximum requested allocation size to up PTRDIFF_MAX (taking into
    consideration internal padding and alignment).
    This aligns glibc with gcc expected size defined by default warning
    -Walloc-size-larger-than value which warns for allocation larger than
    PTRDIFF_MAX.  It also aligns with gcc expectation regarding libc and
    expected size, such as described in PR#67999 [2] and previously discussed
    ISO C11 issues [3] on libc-alpha.
    From the RFC thread [4] and previous discussion, it seems that consensus
    is only to limit such requested size for malloc functions, not the system
    allocation one (mmap, sbrk, etc.).
    The implementation changes checked_request2size to check for both overflow
    and maximum object size up to PTRDIFF_MAX. No additional checks are done
    on sysmalloc, so it can still issue mmap with values larger than
    PTRDIFF_T depending on the requested size.
    The __attribute_alloc_size__ is for functions that return a pointer only,
    which means it cannot be applied to posix_memalign (see remarks in GCC
    PR#87683 [5]). The runtimes checks to limit maximum requested allocation
    size does applies to posix_memalign.
    Checked on x86_64-linux-gnu and i686-linux-gnu.
    [1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
    [2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
    [3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
    [4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
    [5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683
    	[BZ #23741]
    	* malloc/hooks.c (malloc_check, realloc_check): Use
    	__builtin_add_overflow on overflow check and adapt to
    	checked_request2size change.
    	* malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
    	__libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
    	allocation size to PTRDIFF_MAX.
    	(REQUEST_OUT_OF_RANGE): Remove macro.
    	(checked_request2size): Change to inline function and limit maximum
    	requested size to PTRDIFF_MAX.
    	(__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
    	maximum allocation size to PTRDIFF_MAX.
    	(_mid_memalign): Use _int_memalign call for overflow check.
    	(__libc_pvalloc): Use __builtin_add_overflow on overflow check.
    	(__libc_calloc): Use __builtin_mul_overflow for overflow check and
    	limit maximum requested size to PTRDIFF_MAX.
    	* malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
    	valloc, pvalloc): Add __attribute_alloc_size__.
    	* stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
    	* malloc/tst-malloc-too-large.c (do_test): Add check for allocation
    	larger than PTRDIFF_MAX.
    	* malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
    	around tests of malloc with negative sizes.
    	* malloc/tst-posix_memalign.c (do_test): Likewise.
    	* malloc/tst-pvalloc.c (do_test): Likewise.
    	* malloc/tst-valloc.c (do_test): Likewise.
    	* malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
    	with resulting size allocation larger than PTRDIFF_MAX with
    	(reallocarray_nowarn): New function.
    	* NEWS: Mention the malloc function semantic change.
Comment 3 Adhemerval Zanella 2019-04-18 22:30:52 UTC
Fixed on 2.30 (commit 9bf8e29ca136094f73f69f725f15c51facc97206).
Comment 4 Adhemerval Zanella 2019-04-18 22:34:18 UTC
As previous comment.