[PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc.

Will Newton

A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.

ChangeLog:

2013-08-16  Will Newton  <[hidden email]>

        [BZ #15856]
        * malloc/malloc.c (__libc_valloc): Check the value of bytes
        does not overflow.
---
 malloc/malloc.c | 7 +++++++
 1 file changed, 7 insertions(+)

Changes in v3:
 - Reorder if condition
 - Set errno appropriately

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 7f43ba3..3148c5f 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)

   size_t pagesz = GLRO(dl_pagesize);

+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   void *(*hook) (size_t, size_t, const void *) =
     force_reg (__memalign_hook);
   if (__builtin_expect (hook != NULL, 0))
--
1.8.1.4

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc.

Siddhesh Poyarekar
On 10 September 2013 18:46, Will Newton <[hidden email]> wrote:

>
> A large bytes parameter to valloc could cause an integer overflow
> and corrupt allocator internals. Check the overflow does not occur
> before continuing with the allocation.
>
> ChangeLog:
>
> 2013-08-16  Will Newton  <[hidden email]>
>
>         [BZ #15856]
>         * malloc/malloc.c (__libc_valloc): Check the value of bytes
>         does not overflow.
> ---
>  malloc/malloc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> Changes in v3:
>  - Reorder if condition
>  - Set errno appropriately
>
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index 7f43ba3..3148c5f 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
>
>    size_t pagesz = GLRO(dl_pagesize);
>
> +  /* Check for overflow.  */
> +  if (bytes > SIZE_MAX - pagesz - MINSIZE)
> +    {
> +      __set_errno (ENOMEM);
> +      return 0;
> +    }
> +
>    void *(*hook) (size_t, size_t, const void *) =
>      force_reg (__memalign_hook);
>    if (__builtin_expect (hook != NULL, 0))
> --
> 1.8.1.4
>

Wrong mailing list, but the patch is OK.

Thanks,
Siddhesh

--
http://siddhesh.in