This is the mail archive of the mailing list for the elfutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Bugzilla component missing and another (minor) fuzzing-related bug report

On Mon, 2015-10-19 at 03:50 +0300, Alexander Cherepanov wrote:
> On 2015-06-24 11:14, Mark Wielaard wrote:
> > But in this case as far as I know these kind of malloc argument checks
> > are indeed just noise. We do check the results of malloc everywhere
> > (or should at least). I might be wrong of course, or miss something
> > subtle. So please do let me know if you think it is something to fix
> > differently from how we handle it currently.
> gcc doesn't support objects more than half the address space in size -- 
> . So if you are 
> malloc'ing >2GB on 32-bit platforms you should be concerned.

Urgh. So malloc might return a memory object larger than PTRDIFF_MAX?
I had indeed assumed something like that couldn't happen. It makes the
size calculations and/or indexing into such a memory object afterwards a
little tricky I believe. Since pointer + something > PTRDIFF_MAX seems
not well defined. hmmmm.

I think it makes sense to raise this as a bug against glibc.
And we probably do have to audit all such suspicious mallocs to make
sure we aren't actually doing any pointer calculations using the size
(or just reject any allocation > PTRDIFF_MAX).



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]