lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-28 00:21:52 +03:00
Code Activity

malloc: Fix for infinite loop in memalign/posix_memalign.

Browse Source 
A very large alignment argument passed to mealign/posix_memalign
causes _int_memalign to enter an infinite loop. Limit the maximum
alignment value to the maximum representable power of two to
prevent this from happening.

Changelog:

2013-10-30  Will Newton  <will.newton@linaro.org>

	[BZ #16038]
	* malloc/hooks.c (memalign_check): Limit alignment to the
	maximum representable power of two.
	* malloc/malloc.c (__libc_memalign): Likewise.
	* malloc/tst-memalign.c (do_test): Add test for very
	large alignment values.
	* malloc/tst-posix_memalign.c (do_test): Likewise.
This commit is contained in:
Will Newton
2013-10-10 13:17:13 +01:00
parent c6e4925d40
commit a56ee40b17
5 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
2013-10-30 Will Newton <will.newton@linaro.org>
[BZ #16038]
* malloc/hooks.c (memalign_check): Limit alignment to the
maximum representable power of two.
* malloc/malloc.c (__libc_memalign): Likewise.
* malloc/tst-memalign.c (do_test): Add test for very
large alignment values.
* malloc/tst-posix_memalign.c (do_test): Likewise.
2013-10-30 Ondřej Bílka <neleai@seznam.cz> 2013-10-30 Ondřej Bílka <neleai@seznam.cz>
[BZ #11087] [BZ #11087]

8
malloc/hooks.c
View File

@ -361,6 +361,14 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL); if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
if (alignment < MINSIZE) alignment = MINSIZE; if (alignment < MINSIZE) alignment = MINSIZE;
/* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
power of 2 and will cause overflow in the check below. */
if (alignment > SIZE_MAX / 2 + 1)
{
__set_errno (EINVAL);
return 0;
}
/* Check for overflow. */ /* Check for overflow. */
if (bytes > SIZE_MAX - alignment - MINSIZE) if (bytes > SIZE_MAX - alignment - MINSIZE)
{ {

8
malloc/malloc.c
View File

@ -3016,6 +3016,14 @@ __libc_memalign(size_t alignment, size_t bytes)
/* Otherwise, ensure that it is at least a minimum chunk size */ /* Otherwise, ensure that it is at least a minimum chunk size */
if (alignment < MINSIZE) alignment = MINSIZE; if (alignment < MINSIZE) alignment = MINSIZE;
/* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
power of 2 and will cause overflow in the check below. */
if (alignment > SIZE_MAX / 2 + 1)
{
__set_errno (EINVAL);
return 0;
}
/* Check for overflow. */ /* Check for overflow. */
if (bytes > SIZE_MAX - alignment - MINSIZE) if (bytes > SIZE_MAX - alignment - MINSIZE)
{ {

15
malloc/tst-memalign.c
View File

@ -70,6 +70,21 @@ do_test (void)
free (p); free (p);
errno = 0;
/* Test to expose integer overflow in malloc internals from BZ #16038. */
p = memalign (-1, pagesize);
save = errno;
if (p != NULL)
merror ("memalign (-1, pagesize) succeeded.");
if (p == NULL && save != EINVAL)
merror ("memalign (-1, pagesize) errno is not set correctly");
free (p);
/* A zero-sized allocation should succeed with glibc, returning a /* A zero-sized allocation should succeed with glibc, returning a
non-NULL value. */ non-NULL value. */
p = memalign (sizeof (void *), 0); p = memalign (sizeof (void *), 0);

10
malloc/tst-posix_memalign.c
View File

@ -65,6 +65,16 @@ do_test (void)
p = NULL; p = NULL;
/* Test to expose integer overflow in malloc internals from BZ #16038. */
ret = posix_memalign (&p, -1, pagesize);
if (ret != EINVAL)
merror ("posix_memalign (&p, -1, pagesize) succeeded.");
free (p);
p = NULL;
/* A zero-sized allocation should succeed with glibc, returning zero /* A zero-sized allocation should succeed with glibc, returning zero
and setting p to a non-NULL value. */ and setting p to a non-NULL value. */
ret = posix_memalign (&p, sizeof (void *), 0); ret = posix_memalign (&p, sizeof (void *), 0);