This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: RFA: libiberty: cope with integer overflow in _objalloc_alloc
- From: Florian Weimer <fweimer at redhat dot com>
- To: Nick Clifton <nickc at redhat dot com>
- Cc: dj at redhat dot com, ian at airs dot com, gcc-patches at gcc dot gnu dot org, binutils at sourceware dot org, jlieskov at redhat dot com
- Date: Fri, 31 Aug 2012 13:02:30 +0200
- Subject: Re: RFA: libiberty: cope with integer overflow in _objalloc_alloc
- References: <87y5kvpcz0.fsf@redhat.com>
On 08/31/2012 12:33 PM, Nick Clifton wrote:
Hi DJ, Hi Ian,
The _objalloc_alloc() function is currently vulnerable to an integer
overflow if it is passed a negative length. For example if called
with len = -3 and assuming that OBJALLOC_ALIGN is 4 then:
line 122: len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
So len = (-3 + 3) & ~ 3 = 0, and then the function returns a pointer
that will be reused the next time _objalloc_alloc is called.
Or suppose that len = -4, then:
line 122: len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
Which gives len = (-4 + 3) & ~3 = -4 and then:
line 136: ret = (char *) malloc (CHUNK_HEADER_SIZE + len);
So now the function returns a pointer to a memory block that is not
even big enough to contain the chunk header.
The proposed patch should take care of both of these scenarios. OK
to apply ?
If I'm not mistaken, this doesn't cover the -3 case properly:
PTR
_objalloc_alloc (struct objalloc *o, unsigned long len)
{
len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
/* We avoid confusion from zero sized objects by always allocating
at least OBJALLOC_ALIGN bytes. */
if (len == 0)
len = OBJALLOC_ALIGN;
This still results in a pointer which is too small. And this code is
never called because the wraparound already happens in the
objalloc_alloc macro in the header file.
Here's a different patch which should not suffer from this problem:
<http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01986.html>
--
Florian Weimer / Red Hat Product Security Team