This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v2] [BZ #15855] malloc: Check for integer overflow in pvalloc.
- From: Siddhesh Poyarekar <siddhesh at redhat dot com>
- To: Will Newton <will dot newton at linaro dot org>
- Cc: libc-alpha at sourceware dot org, patches at linaro dot org
- Date: Tue, 10 Sep 2013 08:10:44 +0530
- Subject: Re: [PATCH v2] [BZ #15855] malloc: Check for integer overflow in pvalloc.
- Authentication-results: sourceware.org; auth=none
- References: <521327C7 dot 3020501 at linaro dot org>
On Tue, Aug 20, 2013 at 09:24:39AM +0100, Will Newton wrote:
>
> A large bytes parameter to pvalloc could cause an integer overflow
> and corrupt allocator internals. Check the overflow does not occur
> before continuing with the allocation.
>
> ChangeLog:
>
> 2013-08-12 Will Newton <will.newton@linaro.org>
>
> [BZ #15855]
> * malloc/malloc.c (__libc_pvalloc): Check the value of bytes
> does not overflow.
> ---
> malloc/malloc.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> Changes in v2:
> - Add BZ number
>
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index be472b2..7468758 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3082,6 +3082,10 @@ __libc_pvalloc(size_t bytes)
> size_t page_mask = GLRO(dl_pagesize) - 1;
> size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
>
> + /* Check for overflow. */
> + if (bytes + 2*pagesz + MINSIZE < bytes)
> + return 0;
> +
It might be safer to use SIZE_MAX instead of relying on overflow
behaviour of the processor:
if (SIZE_MAX - 2 * pagesz - MINSIZE < bytes)
return 0;
> void *(*hook) (size_t, size_t, const void *) =
> force_reg (__memalign_hook);
> if (__builtin_expect (hook != NULL, 0))
> --
> 1.8.1.4
>
Siddhesh