This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: alloca vs malloc


On 05/19/14 09:30, Joseph S. Myers wrote:

There are various cases where replacing alloca with malloc is not safe
(but use of alloca isn't safe either unless the size allocated is
bounded):
Yup. I hadn't pondered any of these scenarios. At least some of them probably ought to be discussed with the appropriate POSIX/ISO standards group.

* If the function's interface does not provide a way for it to return an
error indication for memory allocation failures at all, or people
otherwise reasonably expect it never to fail for that reason, then bounded
alloca / VLAs can be used, but malloc cannot.
These are the cases I'm referring to thought ought to be discussed with the standards committee.

(I don't know about practical exploitability or CVE-worthiness of that
bug; I just presume that any unbounded stack allocation should be
considered bad, although those where the space allocated is proportional
to the space already used by function arguments passed to the glibc
function are maybe less critical.)
Right. I don't think anyone has done any kind of exploitability analysis for that particular bug (16962). However, my experience has been that if there's an unbound alloca, then exploitability is just an exercise left for the reader :-) So, I'd agree that any unbound stack allocation should be considered bad.


Jeff




Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]