]>
Commit | Line | Data |
---|---|---|
8e448310 AS |
1 | /* Test and verify that too-large memory allocations fail with ENOMEM. |
2 | Copyright (C) 2018 Free Software Foundation, Inc. | |
3 | This file is part of the GNU C Library. | |
4 | ||
5 | The GNU C Library is free software; you can redistribute it and/or | |
6 | modify it under the terms of the GNU Lesser General Public | |
7 | License as published by the Free Software Foundation; either | |
8 | version 2.1 of the License, or (at your option) any later version. | |
9 | ||
10 | The GNU C Library is distributed in the hope that it will be useful, | |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
13 | Lesser General Public License for more details. | |
14 | ||
15 | You should have received a copy of the GNU Lesser General Public | |
16 | License along with the GNU C Library; if not, see | |
17 | <http://www.gnu.org/licenses/>. */ | |
18 | ||
19 | /* Bug 22375 reported a regression in malloc where if after malloc'ing then | |
20 | free'ing a small block of memory, malloc is then called with a really | |
21 | large size argument (close to SIZE_MAX): instead of returning NULL and | |
22 | setting errno to ENOMEM, malloc incorrectly returns the previously | |
23 | allocated block instead. Bug 22343 reported a similar case where | |
24 | posix_memalign incorrectly returns successfully when called with an with | |
25 | a really large size argument. | |
26 | ||
27 | Both of these were caused by integer overflows in the allocator when it | |
28 | was trying to pad the requested size to allow for book-keeping or | |
29 | alignment. This test guards against such bugs by repeatedly allocating | |
30 | and freeing small blocks of memory then trying to allocate various block | |
31 | sizes larger than the memory bus width of 64-bit targets, or almost | |
32 | as large as SIZE_MAX on 32-bit targets supported by glibc. In each case, | |
33 | it verifies that such impossibly large allocations correctly fail. */ | |
34 | ||
35 | ||
36 | #include <stdlib.h> | |
37 | #include <malloc.h> | |
38 | #include <errno.h> | |
39 | #include <stdint.h> | |
40 | #include <sys/resource.h> | |
41 | #include <libc-diag.h> | |
42 | #include <support/check.h> | |
43 | #include <unistd.h> | |
44 | #include <sys/param.h> | |
45 | ||
46 | ||
47 | /* This function prepares for each 'too-large memory allocation' test by | |
48 | performing a small successful malloc/free and resetting errno prior to | |
49 | the actual test. */ | |
50 | static void | |
51 | test_setup (void) | |
52 | { | |
53 | void *volatile ptr = malloc (16); | |
54 | TEST_VERIFY_EXIT (ptr != NULL); | |
55 | free (ptr); | |
56 | errno = 0; | |
57 | } | |
58 | ||
59 | ||
60 | /* This function tests each of: | |
61 | - malloc (SIZE) | |
62 | - realloc (PTR_FOR_REALLOC, SIZE) | |
63 | - for various values of NMEMB: | |
64 | - calloc (NMEMB, SIZE/NMEMB) | |
65 | - calloc (SIZE/NMEMB, NMEMB) | |
66 | - reallocarray (PTR_FOR_REALLOC, NMEMB, SIZE/NMEMB) | |
67 | - reallocarray (PTR_FOR_REALLOC, SIZE/NMEMB, NMEMB) | |
68 | and precedes each of these tests with a small malloc/free before it. */ | |
69 | static void | |
70 | test_large_allocations (size_t size) | |
71 | { | |
72 | void * ptr_to_realloc; | |
73 | ||
74 | test_setup (); | |
75 | TEST_VERIFY (malloc (size) == NULL); | |
76 | TEST_VERIFY (errno == ENOMEM); | |
77 | ||
78 | ptr_to_realloc = malloc (16); | |
79 | TEST_VERIFY_EXIT (ptr_to_realloc != NULL); | |
80 | test_setup (); | |
81 | TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL); | |
82 | TEST_VERIFY (errno == ENOMEM); | |
83 | free (ptr_to_realloc); | |
84 | ||
85 | for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2) | |
86 | if ((size % nmemb) == 0) | |
87 | { | |
88 | test_setup (); | |
89 | TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL); | |
90 | TEST_VERIFY (errno == ENOMEM); | |
91 | ||
92 | test_setup (); | |
93 | TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL); | |
94 | TEST_VERIFY (errno == ENOMEM); | |
95 | ||
96 | ptr_to_realloc = malloc (16); | |
97 | TEST_VERIFY_EXIT (ptr_to_realloc != NULL); | |
98 | test_setup (); | |
99 | TEST_VERIFY (reallocarray (ptr_to_realloc, nmemb, size / nmemb) == NULL); | |
100 | TEST_VERIFY (errno == ENOMEM); | |
101 | free (ptr_to_realloc); | |
102 | ||
103 | ptr_to_realloc = malloc (16); | |
104 | TEST_VERIFY_EXIT (ptr_to_realloc != NULL); | |
105 | test_setup (); | |
106 | TEST_VERIFY (reallocarray (ptr_to_realloc, size / nmemb, nmemb) == NULL); | |
107 | TEST_VERIFY (errno == ENOMEM); | |
108 | free (ptr_to_realloc); | |
109 | } | |
110 | else | |
111 | break; | |
112 | } | |
113 | ||
114 | ||
115 | static long pagesize; | |
116 | ||
117 | /* This function tests the following aligned memory allocation functions | |
118 | using several valid alignments and precedes each allocation test with a | |
119 | small malloc/free before it: | |
120 | memalign, posix_memalign, aligned_alloc, valloc, pvalloc. */ | |
121 | static void | |
122 | test_large_aligned_allocations (size_t size) | |
123 | { | |
124 | /* ptr stores the result of posix_memalign but since all those calls | |
125 | should fail, posix_memalign should never change ptr. We set it to | |
126 | NULL here and later on we check that it remains NULL after each | |
127 | posix_memalign call. */ | |
128 | void * ptr = NULL; | |
129 | ||
130 | size_t align; | |
131 | ||
132 | /* All aligned memory allocation functions expect an alignment that is a | |
133 | power of 2. Given this, we test each of them with every valid | |
134 | alignment from 1 thru PAGESIZE. */ | |
135 | for (align = 1; align <= pagesize; align *= 2) | |
136 | { | |
137 | test_setup (); | |
138 | TEST_VERIFY (memalign (align, size) == NULL); | |
139 | TEST_VERIFY (errno == ENOMEM); | |
140 | ||
141 | /* posix_memalign expects an alignment that is a power of 2 *and* a | |
142 | multiple of sizeof (void *). */ | |
143 | if ((align % sizeof (void *)) == 0) | |
144 | { | |
145 | test_setup (); | |
146 | TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM); | |
147 | TEST_VERIFY (ptr == NULL); | |
148 | } | |
149 | ||
150 | /* aligned_alloc expects a size that is a multiple of alignment. */ | |
151 | if ((size % align) == 0) | |
152 | { | |
153 | test_setup (); | |
154 | TEST_VERIFY (aligned_alloc (align, size) == NULL); | |
155 | TEST_VERIFY (errno == ENOMEM); | |
156 | } | |
157 | } | |
158 | ||
159 | /* Both valloc and pvalloc return page-aligned memory. */ | |
160 | ||
161 | test_setup (); | |
162 | TEST_VERIFY (valloc (size) == NULL); | |
163 | TEST_VERIFY (errno == ENOMEM); | |
164 | ||
165 | test_setup (); | |
166 | TEST_VERIFY (pvalloc (size) == NULL); | |
167 | TEST_VERIFY (errno == ENOMEM); | |
168 | } | |
169 | ||
170 | ||
171 | #define FOURTEEN_ON_BITS ((1UL << 14) - 1) | |
172 | #define FIFTY_ON_BITS ((1UL << 50) - 1) | |
173 | ||
174 | ||
175 | static int | |
176 | do_test (void) | |
177 | { | |
178 | ||
179 | #if __WORDSIZE >= 64 | |
180 | ||
181 | /* This test assumes that none of the supported targets have an address | |
182 | bus wider than 50 bits, and that therefore allocations for sizes wider | |
183 | than 50 bits will fail. Here, we ensure that the assumption continues | |
184 | to be true in the future when we might have address buses wider than 50 | |
185 | bits. */ | |
186 | ||
187 | struct rlimit alloc_size_limit | |
188 | = { | |
189 | .rlim_cur = FIFTY_ON_BITS, | |
190 | .rlim_max = FIFTY_ON_BITS | |
191 | }; | |
192 | ||
193 | setrlimit (RLIMIT_AS, &alloc_size_limit); | |
194 | ||
195 | #endif /* __WORDSIZE >= 64 */ | |
196 | ||
197 | DIAG_PUSH_NEEDS_COMMENT; | |
198 | #if __GNUC_PREREQ (7, 0) | |
199 | /* GCC 7 warns about too-large allocations; here we want to test | |
200 | that they fail. */ | |
201 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
202 | #endif | |
203 | ||
204 | /* Aligned memory allocation functions need to be tested up to alignment | |
205 | size equivalent to page size, which should be a power of 2. */ | |
206 | pagesize = sysconf (_SC_PAGESIZE); | |
207 | TEST_VERIFY_EXIT (powerof2 (pagesize)); | |
208 | ||
209 | /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. | |
210 | in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. | |
211 | ||
212 | We can expect that this range of allocation sizes will always lead to | |
213 | an allocation failure on both 64 and 32 bit targets, because: | |
214 | ||
215 | 1. no currently supported 64-bit target has an address bus wider than | |
216 | 50 bits -- and (2^64 - 2^14) is much wider than that; | |
217 | ||
218 | 2. on 32-bit targets, even though 2^32 is only 4 GB and potentially | |
219 | addressable, glibc itself is more than 2^14 bytes in size, and | |
220 | therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain | |
221 | available. */ | |
222 | ||
223 | for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++) | |
224 | { | |
225 | test_large_allocations (SIZE_MAX - i); | |
226 | test_large_aligned_allocations (SIZE_MAX - i); | |
227 | } | |
228 | ||
229 | #if __WORDSIZE >= 64 | |
230 | /* On 64-bit targets, we need to test a much wider range of too-large | |
231 | sizes, so we test at intervals of (1 << 50) that allocation sizes | |
232 | ranging from SIZE_MAX down to (1 << 50) fail: | |
233 | The 14 MSBs are decremented starting from "all ON" going down to 1, | |
234 | the 50 LSBs are "all ON" and then "all OFF" during every iteration. */ | |
235 | for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--) | |
236 | { | |
237 | size_t size = (msbs << 50) | FIFTY_ON_BITS; | |
238 | test_large_allocations (size); | |
239 | test_large_aligned_allocations (size); | |
240 | ||
241 | size = msbs << 50; | |
242 | test_large_allocations (size); | |
243 | test_large_aligned_allocations (size); | |
244 | } | |
245 | #endif /* __WORDSIZE >= 64 */ | |
246 | ||
247 | DIAG_POP_NEEDS_COMMENT; | |
248 | ||
249 | return 0; | |
250 | } | |
251 | ||
252 | ||
253 | #include <support/test-driver.c> |