This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug malloc/23741] Missing __attribute_alloc_size__ in many allocation functions

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 18 Apr 2019 22:29:48 +0000
Subject: [Bug malloc/23741] Missing __attribute_alloc_size__ in many allocation functions
Auto-submitted: auto-generated
References: <bug-23741-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=23741

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Adhemerval Zanella
<azanella@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9bf8e29ca136094f73f69f725f15c51facc97206

commit 9bf8e29ca136094f73f69f725f15c51facc97206
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Tue Dec 18 16:30:56 2018 -0200

    malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)

    As discussed previously on libc-alpha [1], this patch follows up the idea
    and add both the __attribute_alloc_size__ on malloc functions (malloc,
    calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit
    maximum requested allocation size to up PTRDIFF_MAX (taking into
    consideration internal padding and alignment).

    This aligns glibc with gcc expected size defined by default warning
    -Walloc-size-larger-than value which warns for allocation larger than
    PTRDIFF_MAX.  It also aligns with gcc expectation regarding libc and
    expected size, such as described in PR#67999 [2] and previously discussed
    ISO C11 issues [3] on libc-alpha.

    From the RFC thread [4] and previous discussion, it seems that consensus
    is only to limit such requested size for malloc functions, not the system
    allocation one (mmap, sbrk, etc.).

    The implementation changes checked_request2size to check for both overflow
    and maximum object size up to PTRDIFF_MAX. No additional checks are done
    on sysmalloc, so it can still issue mmap with values larger than
    PTRDIFF_T depending on the requested size.

    The __attribute_alloc_size__ is for functions that return a pointer only,
    which means it cannot be applied to posix_memalign (see remarks in GCC
    PR#87683 [5]). The runtimes checks to limit maximum requested allocation
    size does applies to posix_memalign.

    Checked on x86_64-linux-gnu and i686-linux-gnu.

    [1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html
    [2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999
    [3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html
    [4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html
    [5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683

        [BZ #23741]
        * malloc/hooks.c (malloc_check, realloc_check): Use
        __builtin_add_overflow on overflow check and adapt to
        checked_request2size change.
        * malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign,
        __libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum
        allocation size to PTRDIFF_MAX.
        (REQUEST_OUT_OF_RANGE): Remove macro.
        (checked_request2size): Change to inline function and limit maximum
        requested size to PTRDIFF_MAX.
        (__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit
        maximum allocation size to PTRDIFF_MAX.
        (_mid_memalign): Use _int_memalign call for overflow check.
        (__libc_pvalloc): Use __builtin_add_overflow on overflow check.
        (__libc_calloc): Use __builtin_mul_overflow for overflow check and
        limit maximum requested size to PTRDIFF_MAX.
        * malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign,
        valloc, pvalloc): Add __attribute_alloc_size__.
        * stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise.
        * malloc/tst-malloc-too-large.c (do_test): Add check for allocation
        larger than PTRDIFF_MAX.
        * malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than=
        around tests of malloc with negative sizes.
        * malloc/tst-posix_memalign.c (do_test): Likewise.
        * malloc/tst-pvalloc.c (do_test): Likewise.
        * malloc/tst-valloc.c (do_test): Likewise.
        * malloc/tst-reallocarray.c (do_test): Replace call to reallocarray
        with resulting size allocation larger than PTRDIFF_MAX with
        reallocarray_nowarn.
        (reallocarray_nowarn): New function.
        * NEWS: Mention the malloc function semantic change.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]