mirror of
https://sourceware.org/git/glibc.git
synced 2025-07-29 11:41:21 +03:00
malloc: make malloc fail with requests larger than PTRDIFF_MAX (BZ#23741)
As discussed previously on libc-alpha [1], this patch follows up the idea and add both the __attribute_alloc_size__ on malloc functions (malloc, calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit maximum requested allocation size to up PTRDIFF_MAX (taking into consideration internal padding and alignment). This aligns glibc with gcc expected size defined by default warning -Walloc-size-larger-than value which warns for allocation larger than PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and expected size, such as described in PR#67999 [2] and previously discussed ISO C11 issues [3] on libc-alpha. From the RFC thread [4] and previous discussion, it seems that consensus is only to limit such requested size for malloc functions, not the system allocation one (mmap, sbrk, etc.). The implementation changes checked_request2size to check for both overflow and maximum object size up to PTRDIFF_MAX. No additional checks are done on sysmalloc, so it can still issue mmap with values larger than PTRDIFF_T depending on the requested size. The __attribute_alloc_size__ is for functions that return a pointer only, which means it cannot be applied to posix_memalign (see remarks in GCC PR#87683 [5]). The runtimes checks to limit maximum requested allocation size does applies to posix_memalign. Checked on x86_64-linux-gnu and i686-linux-gnu. [1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html [2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999 [3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html [4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html [5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683 [BZ #23741] * malloc/hooks.c (malloc_check, realloc_check): Use __builtin_add_overflow on overflow check and adapt to checked_request2size change. * malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign, __libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum allocation size to PTRDIFF_MAX. (REQUEST_OUT_OF_RANGE): Remove macro. (checked_request2size): Change to inline function and limit maximum requested size to PTRDIFF_MAX. (__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit maximum allocation size to PTRDIFF_MAX. (_mid_memalign): Use _int_memalign call for overflow check. (__libc_pvalloc): Use __builtin_add_overflow on overflow check. (__libc_calloc): Use __builtin_mul_overflow for overflow check and limit maximum requested size to PTRDIFF_MAX. * malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign, valloc, pvalloc): Add __attribute_alloc_size__. * stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise. * malloc/tst-malloc-too-large.c (do_test): Add check for allocation larger than PTRDIFF_MAX. * malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than= around tests of malloc with negative sizes. * malloc/tst-posix_memalign.c (do_test): Likewise. * malloc/tst-pvalloc.c (do_test): Likewise. * malloc/tst-valloc.c (do_test): Likewise. * malloc/tst-reallocarray.c (do_test): Replace call to reallocarray with resulting size allocation larger than PTRDIFF_MAX with reallocarray_nowarn. (reallocarray_nowarn): New function. * NEWS: Mention the malloc function semantic change.
This commit is contained in:
Adhemerval Zanella
@ -226,8 +226,9 @@ static void *
|
||||
malloc_check (size_t sz, const void *caller)
|
||||
{
|
||||
void *victim;
|
||||
size_t nb;
|
||||
|
||||
if (sz + 1 == 0)
|
||||
if (__builtin_add_overflow (sz, 1, &nb))
|
||||
{
|
||||
__set_errno (ENOMEM);
|
||||
return NULL;
|
||||
@ -235,7 +236,7 @@ malloc_check (size_t sz, const void *caller)
|
||||
|
||||
__libc_lock_lock (main_arena.mutex);
|
||||
top_check ();
|
||||
victim = _int_malloc (&main_arena, sz + 1);
|
||||
victim = _int_malloc (&main_arena, nb);
|
||||
__libc_lock_unlock (main_arena.mutex);
|
||||
return mem2mem_check (victim, sz);
|
||||
}
|
||||
@ -268,8 +269,9 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
|
||||
INTERNAL_SIZE_T nb;
|
||||
void *newmem = 0;
|
||||
unsigned char *magic_p;
|
||||
size_t rb;
|
||||
|
||||
if (bytes + 1 == 0)
|
||||
if (__builtin_add_overflow (bytes, 1, &rb))
|
||||
{
|
||||
__set_errno (ENOMEM);
|
||||
return NULL;
|
||||
@ -289,7 +291,9 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
|
||||
malloc_printerr ("realloc(): invalid pointer");
|
||||
const INTERNAL_SIZE_T oldsize = chunksize (oldp);
|
||||
|
||||
checked_request2size (bytes + 1, nb);
|
||||
if (!checked_request2size (rb, &nb))
|
||||
goto invert;
|
||||
|
||||
__libc_lock_lock (main_arena.mutex);
|
||||
|
||||
if (chunk_is_mmapped (oldp))
|
||||
@ -308,7 +312,7 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
|
||||
{
|
||||
/* Must alloc, copy, free. */
|
||||
top_check ();
|
||||
newmem = _int_malloc (&main_arena, bytes + 1);
|
||||
newmem = _int_malloc (&main_arena, rb);
|
||||
if (newmem)
|
||||
{
|
||||
memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ);
|
||||
@ -320,8 +324,6 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
|
||||
else
|
||||
{
|
||||
top_check ();
|
||||
INTERNAL_SIZE_T nb;
|
||||
checked_request2size (bytes + 1, nb);
|
||||
newmem = _int_realloc (&main_arena, oldp, oldsize, nb);
|
||||
}
|
||||
|
||||
@ -334,6 +336,7 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
|
||||
/* mem2chunk_check changed the magic byte in the old chunk.
|
||||
If newmem is NULL, then the old chunk will still be used though,
|
||||
so we need to invert that change here. */
|
||||
invert:
|
||||
if (newmem == NULL)
|
||||
*magic_p ^= 0xFF;
|
||||
DIAG_POP_NEEDS_COMMENT;
|
||||
|
||||
Reference in New Issue
Block a user