This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/22343] New: Integer overflow in posix_memalign
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 24 Oct 2017 08:19:56 +0000
- Subject: [Bug malloc/22343] New: Integer overflow in posix_memalign
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22343
Bug ID: 22343
Summary: Integer overflow in posix_memalign
Product: glibc
Version: 2.26
Status: NEW
Severity: minor
Priority: P3
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
Created attachment 10553
--> https://sourceware.org/bugzilla/attachment.cgi?id=10553&action=edit
reproducer.c
Jakub Wilk reported that posix_memalign fails to properly report an error for
allocation sizes close to SIZE_MAX:
Some posix_memalign() calls fail catastrophically:
$ grep memalign test-posix-memalign.c
return posix_memalign(&p, 0x10, SIZE_MAX - 0x20);
$ make test-posix-memalign
cc test-posix-memalign.c -o test-posix-memalign
$ ./test-posix-memalign
*** Error in `./test-posix-memalign': free(): invalid next size (fast):
0x57a96008 ***
...
Backtrace:
#0 0xf7fd7dc9 in __kernel_vsyscall ()
#1 0xf7e2add0 in __libc_signal_restore_set (set=0xffffd160) at
../sysdeps/unix/sysv/linux/nptl-signals.h:79
#2 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3 0xf7e2c297 in __GI_abort () at abort.c:89
#4 0xf7e6638f in __libc_message (do_abort=<optimized out>, fmt=<optimized
out>) at ../sysdeps/posix/libc_fatal.c:175
#5 0xf7e6cfc7 in malloc_printerr (action=<optimized out>, str=0xf7f60318
"free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=0xf7fb2780
<main_arena>) at malloc.c:5049
#6 0xf7e6d806 in _int_free (av=av@entry=0xf7fb2780 <main_arena>,
p=p@entry=0x56558000, have_lock=have_lock@entry=1) at malloc.c:3905
#7 0xf7e6f8c3 in _int_memalign (av=av@entry=0xf7fb2780 <main_arena>,
alignment=alignment@entry=16, bytes=bytes@entry=4294967263) at malloc.c:4497
#8 0xf7e70eea in _mid_memalign (alignment=16, bytes=4294967263,
address=<optimized out>) at malloc.c:3158
#9 0xf7e71028 in _mid_memalign (alignment=alignment@entry=16,
bytes=bytes@entry=4294967263, address=<optimized out>) at malloc.c:3121
#10 0xf7e72b7f in __posix_memalign (memptr=0xffffd6ac, alignment=16,
size=4294967263) at malloc.c:5071
#11 0x5655556b in main ()
--
You are receiving this mail because:
You are on the CC list for the bug.