This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH v2] [BZ #15855] malloc: Check for integer overflow in pvalloc.


On Tue, Aug 20, 2013 at 09:24:39AM +0100, Will Newton wrote:
> 
> A large bytes parameter to pvalloc could cause an integer overflow
> and corrupt allocator internals. Check the overflow does not occur
> before continuing with the allocation.
> 
> ChangeLog:
> 
> 2013-08-12  Will Newton  <will.newton@linaro.org>
> 
> 	[BZ #15855]
> 	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
> 	does not overflow.
> ---
>  malloc/malloc.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> Changes in v2:
>  - Add BZ number
> 
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index be472b2..7468758 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3082,6 +3082,10 @@ __libc_pvalloc(size_t bytes)
>    size_t page_mask = GLRO(dl_pagesize) - 1;
>    size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
> 
> +  /* Check for overflow.  */
> +  if (bytes + 2*pagesz + MINSIZE < bytes)
> +    return 0;
> +

It might be safer to use SIZE_MAX instead of relying on overflow
behaviour of the processor:

    if (SIZE_MAX - 2 * pagesz - MINSIZE < bytes)
      return 0;

>    void *(*hook) (size_t, size_t, const void *) =
>      force_reg (__memalign_hook);
>    if (__builtin_expect (hook != NULL, 0))
> -- 
> 1.8.1.4
> 

Siddhesh


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]