This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug malloc/22343] New: Integer overflow in posix_memalign


https://sourceware.org/bugzilla/show_bug.cgi?id=22343

            Bug ID: 22343
           Summary: Integer overflow in posix_memalign
           Product: glibc
           Version: 2.26
            Status: NEW
          Severity: minor
          Priority: P3
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security+

Created attachment 10553
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10553&action=edit
reproducer.c

Jakub Wilk reported that posix_memalign fails to properly report an error for
allocation sizes close to SIZE_MAX:

Some posix_memalign() calls fail catastrophically:

  $ grep memalign test-posix-memalign.c
       return posix_memalign(&p, 0x10, SIZE_MAX - 0x20);

  $ make test-posix-memalign
  cc     test-posix-memalign.c   -o test-posix-memalign

  $ ./test-posix-memalign
  *** Error in `./test-posix-memalign': free(): invalid next size (fast):
0x57a96008 ***
  ...

Backtrace:

#0  0xf7fd7dc9 in __kernel_vsyscall ()
#1  0xf7e2add0 in __libc_signal_restore_set (set=0xffffd160) at
../sysdeps/unix/sysv/linux/nptl-signals.h:79
#2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3  0xf7e2c297 in __GI_abort () at abort.c:89
#4  0xf7e6638f in __libc_message (do_abort=<optimized out>, fmt=<optimized
out>) at ../sysdeps/posix/libc_fatal.c:175
#5  0xf7e6cfc7 in malloc_printerr (action=<optimized out>, str=0xf7f60318
"free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=0xf7fb2780
<main_arena>) at malloc.c:5049
#6  0xf7e6d806 in _int_free (av=av@entry=0xf7fb2780 <main_arena>,
p=p@entry=0x56558000, have_lock=have_lock@entry=1) at malloc.c:3905
#7  0xf7e6f8c3 in _int_memalign (av=av@entry=0xf7fb2780 <main_arena>,
alignment=alignment@entry=16, bytes=bytes@entry=4294967263) at malloc.c:4497
#8  0xf7e70eea in _mid_memalign (alignment=16, bytes=4294967263,
address=<optimized out>) at malloc.c:3158
#9  0xf7e71028 in _mid_memalign (alignment=alignment@entry=16,
bytes=bytes@entry=4294967263, address=<optimized out>) at malloc.c:3121
#10 0xf7e72b7f in __posix_memalign (memptr=0xffffd6ac, alignment=16,
size=4294967263) at malloc.c:5071
#11 0x5655556b in main ()

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]