This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.18-346-ga56ee40
- From: willnewton at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 30 Oct 2013 21:46:31 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.18-346-ga56ee40
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd (commit)
from c6e4925d4069d38843c02994ffd284e8c87c8929 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd
commit a56ee40b176d0a3f47f2a7eb75208f2e3763c9fd
Author: Will Newton <will.newton@linaro.org>
Date: Thu Oct 10 13:17:13 2013 +0100
malloc: Fix for infinite loop in memalign/posix_memalign.
A very large alignment argument passed to mealign/posix_memalign
causes _int_memalign to enter an infinite loop. Limit the maximum
alignment value to the maximum representable power of two to
prevent this from happening.
Changelog:
2013-10-30 Will Newton <will.newton@linaro.org>
[BZ #16038]
* malloc/hooks.c (memalign_check): Limit alignment to the
maximum representable power of two.
* malloc/malloc.c (__libc_memalign): Likewise.
* malloc/tst-memalign.c (do_test): Add test for very
large alignment values.
* malloc/tst-posix_memalign.c (do_test): Likewise.
diff --git a/ChangeLog b/ChangeLog
index 4444868..4d7a951 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2013-10-30 Will Newton <will.newton@linaro.org>
+
+ [BZ #16038]
+ * malloc/hooks.c (memalign_check): Limit alignment to the
+ maximum representable power of two.
+ * malloc/malloc.c (__libc_memalign): Likewise.
+ * malloc/tst-memalign.c (do_test): Add test for very
+ large alignment values.
+ * malloc/tst-posix_memalign.c (do_test): Likewise.
+
2013-10-30 OndÅ?ej BÃlka <neleai@seznam.cz>
[BZ #11087]
diff --git a/malloc/hooks.c b/malloc/hooks.c
index 3f663bb..1dbe93f 100644
--- a/malloc/hooks.c
+++ b/malloc/hooks.c
@@ -361,6 +361,14 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
if (alignment < MINSIZE) alignment = MINSIZE;
+ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
+ power of 2 and will cause overflow in the check below. */
+ if (alignment > SIZE_MAX / 2 + 1)
+ {
+ __set_errno (EINVAL);
+ return 0;
+ }
+
/* Check for overflow. */
if (bytes > SIZE_MAX - alignment - MINSIZE)
{
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 79025b1..29796fe 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3016,6 +3016,14 @@ __libc_memalign(size_t alignment, size_t bytes)
/* Otherwise, ensure that it is at least a minimum chunk size */
if (alignment < MINSIZE) alignment = MINSIZE;
+ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
+ power of 2 and will cause overflow in the check below. */
+ if (alignment > SIZE_MAX / 2 + 1)
+ {
+ __set_errno (EINVAL);
+ return 0;
+ }
+
/* Check for overflow. */
if (bytes > SIZE_MAX - alignment - MINSIZE)
{
diff --git a/malloc/tst-memalign.c b/malloc/tst-memalign.c
index 1c59752..cf48e7e 100644
--- a/malloc/tst-memalign.c
+++ b/malloc/tst-memalign.c
@@ -70,6 +70,21 @@ do_test (void)
free (p);
+ errno = 0;
+
+ /* Test to expose integer overflow in malloc internals from BZ #16038. */
+ p = memalign (-1, pagesize);
+
+ save = errno;
+
+ if (p != NULL)
+ merror ("memalign (-1, pagesize) succeeded.");
+
+ if (p == NULL && save != EINVAL)
+ merror ("memalign (-1, pagesize) errno is not set correctly");
+
+ free (p);
+
/* A zero-sized allocation should succeed with glibc, returning a
non-NULL value. */
p = memalign (sizeof (void *), 0);
diff --git a/malloc/tst-posix_memalign.c b/malloc/tst-posix_memalign.c
index 27c0dd2..7f34e37 100644
--- a/malloc/tst-posix_memalign.c
+++ b/malloc/tst-posix_memalign.c
@@ -65,6 +65,16 @@ do_test (void)
p = NULL;
+ /* Test to expose integer overflow in malloc internals from BZ #16038. */
+ ret = posix_memalign (&p, -1, pagesize);
+
+ if (ret != EINVAL)
+ merror ("posix_memalign (&p, -1, pagesize) succeeded.");
+
+ free (p);
+
+ p = NULL;
+
/* A zero-sized allocation should succeed with glibc, returning zero
and setting p to a non-NULL value. */
ret = posix_memalign (&p, sizeof (void *), 0);
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 10 ++++++++++
malloc/hooks.c | 8 ++++++++
malloc/malloc.c | 8 ++++++++
malloc/tst-memalign.c | 15 +++++++++++++++
malloc/tst-posix_memalign.c | 10 ++++++++++
5 files changed, 51 insertions(+), 0 deletions(-)
hooks/post-receive
--
GNU C Library master sources