[patch] Correct range checking in mallopt/mxfast/tcache [BZ #25194]

Wed Dec 4 04:29:00 GMT 2019

On 12/3/19 6:09 PM, DJ Delorie wrote:
> 
> From 2da566d7d7c956658d1d6009875ceab85b3d190b Mon Sep 17 00:00:00 2001
> From: DJ Delorie <dj@redhat.com>
> Date: Tue, 3 Dec 2019 17:44:36 -0500
> Subject: Correct range checking in mallopt/mxfast/tcache [BZ #25194]
> 
> do_set_tcache_max, do_set_mxfast:
> Fix two instances of comparing "size_t < 0"
> Both cases have upper limit, so the "negative value" case
> is already handled via (undefined) overflow semantics.
> 
> mallopt:
> pass return value of do_set_mxfast to user.
> 
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index 70cc35a473..ed16a72dbd 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -5086,13 +5086,14 @@ do_set_arena_max (size_t value)
>  static __always_inline int
>  do_set_tcache_max (size_t value)
>  {
> -  if (value >= 0 && value <= MAX_TCACHE_SIZE)
> +  if (value <= MAX_TCACHE_SIZE)

Does this allow mallopt to accept an invalid large negative 
value but after wrapping be treated as less than MAX_TCACHE_SIZE
and thus be accepted instead of rejected?

mallopt takes an int value, and I think we should be checking
that input for validity before casting it.

>      {
>        LIBC_PROBE (memory_tunable_tcache_max_bytes, 2, value, mp_.tcache_max_bytes);
>        mp_.tcache_max_bytes = value;
>        mp_.tcache_bins = csize2tidx (request2size(value)) + 1;
> +      return 1;
>      }
> -  return 1;
> +  return 0;
>  }
>  
>  static __always_inline int
> @@ -5102,8 +5103,9 @@ do_set_tcache_count (size_t value)
>      {
>        LIBC_PROBE (memory_tunable_tcache_count, 2, value, mp_.tcache_count);
>        mp_.tcache_count = value;
> +      return 1;
>      }
> -  return 1;
> +  return 0;
>  }
>  
>  static __always_inline int
> @@ -5119,7 +5121,7 @@ static inline int
>  __always_inline
>  do_set_mxfast (size_t value)
>  {
> -  if (value >= 0 && value <= MAX_FAST_SIZE)
> +  if (value <= MAX_FAST_SIZE)
>      {
>        LIBC_PROBE (memory_mallopt_mxfast, 2, value, get_max_fast ());
>        set_max_fast (value);
> @@ -5147,7 +5149,7 @@ __libc_mallopt (int param_number, int value)
>    switch (param_number)
>      {
>      case M_MXFAST:
> -      do_set_mxfast (value);
> +      res = do_set_mxfast (value);
>        break;
>  
>      case M_TRIM_THRESHOLD:
> 

-- 
Cheers,
Carlos.