This is the mail archive of the
libc-ports@sources.redhat.com
mailing list for the libc-ports project.
Re: [PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc.
- From: Siddhesh Poyarekar <siddhesh dot poyarekar at gmail dot com>
- To: Will Newton <will dot newton at linaro dot org>
- Cc: libc-ports at sourceware dot org, patches at linaro dot org
- Date: Tue, 10 Sep 2013 19:03:19 +0530
- Subject: Re: [PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc.
- Authentication-results: sourceware.org; auth=none
- References: <522F1BAD dot 7070502 at linaro dot org>
On 10 September 2013 18:46, Will Newton <will.newton@linaro.org> wrote:
>
> A large bytes parameter to valloc could cause an integer overflow
> and corrupt allocator internals. Check the overflow does not occur
> before continuing with the allocation.
>
> ChangeLog:
>
> 2013-08-16 Will Newton <will.newton@linaro.org>
>
> [BZ #15856]
> * malloc/malloc.c (__libc_valloc): Check the value of bytes
> does not overflow.
> ---
> malloc/malloc.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> Changes in v3:
> - Reorder if condition
> - Set errno appropriately
>
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index 7f43ba3..3148c5f 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
>
> size_t pagesz = GLRO(dl_pagesize);
>
> + /* Check for overflow. */
> + if (bytes > SIZE_MAX - pagesz - MINSIZE)
> + {
> + __set_errno (ENOMEM);
> + return 0;
> + }
> +
> void *(*hook) (size_t, size_t, const void *) =
> force_reg (__memalign_hook);
> if (__builtin_expect (hook != NULL, 0))
> --
> 1.8.1.4
>
Wrong mailing list, but the patch is OK.
Thanks,
Siddhesh
--
http://siddhesh.in