]>
Commit | Line | Data |
---|---|---|
8e448310 | 1 | /* Test and verify that too-large memory allocations fail with ENOMEM. |
04277e02 | 2 | Copyright (C) 2018-2019 Free Software Foundation, Inc. |
8e448310 AS |
3 | This file is part of the GNU C Library. |
4 | ||
5 | The GNU C Library is free software; you can redistribute it and/or | |
6 | modify it under the terms of the GNU Lesser General Public | |
7 | License as published by the Free Software Foundation; either | |
8 | version 2.1 of the License, or (at your option) any later version. | |
9 | ||
10 | The GNU C Library is distributed in the hope that it will be useful, | |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
13 | Lesser General Public License for more details. | |
14 | ||
15 | You should have received a copy of the GNU Lesser General Public | |
16 | License along with the GNU C Library; if not, see | |
17 | <http://www.gnu.org/licenses/>. */ | |
18 | ||
19 | /* Bug 22375 reported a regression in malloc where if after malloc'ing then | |
20 | free'ing a small block of memory, malloc is then called with a really | |
21 | large size argument (close to SIZE_MAX): instead of returning NULL and | |
22 | setting errno to ENOMEM, malloc incorrectly returns the previously | |
23 | allocated block instead. Bug 22343 reported a similar case where | |
24 | posix_memalign incorrectly returns successfully when called with an with | |
25 | a really large size argument. | |
26 | ||
27 | Both of these were caused by integer overflows in the allocator when it | |
28 | was trying to pad the requested size to allow for book-keeping or | |
29 | alignment. This test guards against such bugs by repeatedly allocating | |
30 | and freeing small blocks of memory then trying to allocate various block | |
31 | sizes larger than the memory bus width of 64-bit targets, or almost | |
32 | as large as SIZE_MAX on 32-bit targets supported by glibc. In each case, | |
33 | it verifies that such impossibly large allocations correctly fail. */ | |
34 | ||
35 | ||
36 | #include <stdlib.h> | |
37 | #include <malloc.h> | |
38 | #include <errno.h> | |
39 | #include <stdint.h> | |
40 | #include <sys/resource.h> | |
41 | #include <libc-diag.h> | |
42 | #include <support/check.h> | |
43 | #include <unistd.h> | |
44 | #include <sys/param.h> | |
45 | ||
46 | ||
47 | /* This function prepares for each 'too-large memory allocation' test by | |
48 | performing a small successful malloc/free and resetting errno prior to | |
49 | the actual test. */ | |
50 | static void | |
51 | test_setup (void) | |
52 | { | |
53 | void *volatile ptr = malloc (16); | |
54 | TEST_VERIFY_EXIT (ptr != NULL); | |
55 | free (ptr); | |
56 | errno = 0; | |
57 | } | |
58 | ||
59 | ||
60 | /* This function tests each of: | |
61 | - malloc (SIZE) | |
62 | - realloc (PTR_FOR_REALLOC, SIZE) | |
63 | - for various values of NMEMB: | |
64 | - calloc (NMEMB, SIZE/NMEMB) | |
65 | - calloc (SIZE/NMEMB, NMEMB) | |
66 | - reallocarray (PTR_FOR_REALLOC, NMEMB, SIZE/NMEMB) | |
67 | - reallocarray (PTR_FOR_REALLOC, SIZE/NMEMB, NMEMB) | |
68 | and precedes each of these tests with a small malloc/free before it. */ | |
69 | static void | |
70 | test_large_allocations (size_t size) | |
71 | { | |
72 | void * ptr_to_realloc; | |
73 | ||
74 | test_setup (); | |
9bf8e29c AZ |
75 | DIAG_PUSH_NEEDS_COMMENT; |
76 | #if __GNUC_PREREQ (7, 0) | |
77 | /* GCC 7 warns about too-large allocations; here we want to test | |
78 | that they fail. */ | |
79 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
80 | #endif | |
8e448310 | 81 | TEST_VERIFY (malloc (size) == NULL); |
9bf8e29c AZ |
82 | #if __GNUC_PREREQ (7, 0) |
83 | DIAG_POP_NEEDS_COMMENT; | |
84 | #endif | |
8e448310 AS |
85 | TEST_VERIFY (errno == ENOMEM); |
86 | ||
87 | ptr_to_realloc = malloc (16); | |
88 | TEST_VERIFY_EXIT (ptr_to_realloc != NULL); | |
89 | test_setup (); | |
9bf8e29c AZ |
90 | #if __GNUC_PREREQ (7, 0) |
91 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
92 | #endif | |
8e448310 | 93 | TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL); |
9bf8e29c AZ |
94 | #if __GNUC_PREREQ (7, 0) |
95 | DIAG_POP_NEEDS_COMMENT; | |
96 | #endif | |
8e448310 AS |
97 | TEST_VERIFY (errno == ENOMEM); |
98 | free (ptr_to_realloc); | |
99 | ||
100 | for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2) | |
101 | if ((size % nmemb) == 0) | |
102 | { | |
103 | test_setup (); | |
104 | TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL); | |
105 | TEST_VERIFY (errno == ENOMEM); | |
106 | ||
107 | test_setup (); | |
108 | TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL); | |
109 | TEST_VERIFY (errno == ENOMEM); | |
110 | ||
111 | ptr_to_realloc = malloc (16); | |
112 | TEST_VERIFY_EXIT (ptr_to_realloc != NULL); | |
113 | test_setup (); | |
114 | TEST_VERIFY (reallocarray (ptr_to_realloc, nmemb, size / nmemb) == NULL); | |
115 | TEST_VERIFY (errno == ENOMEM); | |
116 | free (ptr_to_realloc); | |
117 | ||
118 | ptr_to_realloc = malloc (16); | |
119 | TEST_VERIFY_EXIT (ptr_to_realloc != NULL); | |
120 | test_setup (); | |
121 | TEST_VERIFY (reallocarray (ptr_to_realloc, size / nmemb, nmemb) == NULL); | |
122 | TEST_VERIFY (errno == ENOMEM); | |
123 | free (ptr_to_realloc); | |
124 | } | |
125 | else | |
126 | break; | |
127 | } | |
128 | ||
129 | ||
130 | static long pagesize; | |
131 | ||
132 | /* This function tests the following aligned memory allocation functions | |
133 | using several valid alignments and precedes each allocation test with a | |
134 | small malloc/free before it: | |
135 | memalign, posix_memalign, aligned_alloc, valloc, pvalloc. */ | |
136 | static void | |
137 | test_large_aligned_allocations (size_t size) | |
138 | { | |
139 | /* ptr stores the result of posix_memalign but since all those calls | |
140 | should fail, posix_memalign should never change ptr. We set it to | |
141 | NULL here and later on we check that it remains NULL after each | |
142 | posix_memalign call. */ | |
143 | void * ptr = NULL; | |
144 | ||
145 | size_t align; | |
146 | ||
147 | /* All aligned memory allocation functions expect an alignment that is a | |
148 | power of 2. Given this, we test each of them with every valid | |
149 | alignment from 1 thru PAGESIZE. */ | |
150 | for (align = 1; align <= pagesize; align *= 2) | |
151 | { | |
152 | test_setup (); | |
9bf8e29c AZ |
153 | #if __GNUC_PREREQ (7, 0) |
154 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
155 | #endif | |
8e448310 | 156 | TEST_VERIFY (memalign (align, size) == NULL); |
9bf8e29c AZ |
157 | #if __GNUC_PREREQ (7, 0) |
158 | DIAG_POP_NEEDS_COMMENT; | |
159 | #endif | |
8e448310 AS |
160 | TEST_VERIFY (errno == ENOMEM); |
161 | ||
162 | /* posix_memalign expects an alignment that is a power of 2 *and* a | |
163 | multiple of sizeof (void *). */ | |
164 | if ((align % sizeof (void *)) == 0) | |
165 | { | |
166 | test_setup (); | |
167 | TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM); | |
168 | TEST_VERIFY (ptr == NULL); | |
169 | } | |
170 | ||
171 | /* aligned_alloc expects a size that is a multiple of alignment. */ | |
172 | if ((size % align) == 0) | |
173 | { | |
174 | test_setup (); | |
9bf8e29c AZ |
175 | #if __GNUC_PREREQ (7, 0) |
176 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
177 | #endif | |
8e448310 | 178 | TEST_VERIFY (aligned_alloc (align, size) == NULL); |
9bf8e29c AZ |
179 | #if __GNUC_PREREQ (7, 0) |
180 | DIAG_POP_NEEDS_COMMENT; | |
181 | #endif | |
8e448310 AS |
182 | TEST_VERIFY (errno == ENOMEM); |
183 | } | |
184 | } | |
185 | ||
186 | /* Both valloc and pvalloc return page-aligned memory. */ | |
187 | ||
188 | test_setup (); | |
9bf8e29c AZ |
189 | #if __GNUC_PREREQ (7, 0) |
190 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
191 | #endif | |
8e448310 | 192 | TEST_VERIFY (valloc (size) == NULL); |
9bf8e29c AZ |
193 | #if __GNUC_PREREQ (7, 0) |
194 | DIAG_POP_NEEDS_COMMENT; | |
195 | #endif | |
8e448310 AS |
196 | TEST_VERIFY (errno == ENOMEM); |
197 | ||
198 | test_setup (); | |
9bf8e29c AZ |
199 | #if __GNUC_PREREQ (7, 0) |
200 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
201 | #endif | |
8e448310 | 202 | TEST_VERIFY (pvalloc (size) == NULL); |
9bf8e29c AZ |
203 | #if __GNUC_PREREQ (7, 0) |
204 | DIAG_POP_NEEDS_COMMENT; | |
205 | #endif | |
8e448310 AS |
206 | TEST_VERIFY (errno == ENOMEM); |
207 | } | |
208 | ||
209 | ||
210 | #define FOURTEEN_ON_BITS ((1UL << 14) - 1) | |
211 | #define FIFTY_ON_BITS ((1UL << 50) - 1) | |
212 | ||
213 | ||
214 | static int | |
215 | do_test (void) | |
216 | { | |
217 | ||
218 | #if __WORDSIZE >= 64 | |
219 | ||
220 | /* This test assumes that none of the supported targets have an address | |
221 | bus wider than 50 bits, and that therefore allocations for sizes wider | |
222 | than 50 bits will fail. Here, we ensure that the assumption continues | |
223 | to be true in the future when we might have address buses wider than 50 | |
224 | bits. */ | |
225 | ||
226 | struct rlimit alloc_size_limit | |
227 | = { | |
228 | .rlim_cur = FIFTY_ON_BITS, | |
229 | .rlim_max = FIFTY_ON_BITS | |
230 | }; | |
231 | ||
232 | setrlimit (RLIMIT_AS, &alloc_size_limit); | |
233 | ||
234 | #endif /* __WORDSIZE >= 64 */ | |
235 | ||
236 | DIAG_PUSH_NEEDS_COMMENT; | |
237 | #if __GNUC_PREREQ (7, 0) | |
238 | /* GCC 7 warns about too-large allocations; here we want to test | |
239 | that they fail. */ | |
240 | DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); | |
241 | #endif | |
242 | ||
243 | /* Aligned memory allocation functions need to be tested up to alignment | |
244 | size equivalent to page size, which should be a power of 2. */ | |
245 | pagesize = sysconf (_SC_PAGESIZE); | |
246 | TEST_VERIFY_EXIT (powerof2 (pagesize)); | |
247 | ||
248 | /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. | |
249 | in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. | |
250 | ||
251 | We can expect that this range of allocation sizes will always lead to | |
252 | an allocation failure on both 64 and 32 bit targets, because: | |
253 | ||
254 | 1. no currently supported 64-bit target has an address bus wider than | |
255 | 50 bits -- and (2^64 - 2^14) is much wider than that; | |
256 | ||
257 | 2. on 32-bit targets, even though 2^32 is only 4 GB and potentially | |
258 | addressable, glibc itself is more than 2^14 bytes in size, and | |
259 | therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain | |
260 | available. */ | |
261 | ||
262 | for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++) | |
263 | { | |
264 | test_large_allocations (SIZE_MAX - i); | |
265 | test_large_aligned_allocations (SIZE_MAX - i); | |
266 | } | |
267 | ||
9bf8e29c AZ |
268 | /* Allocation larger than PTRDIFF_MAX does play well with C standard, |
269 | since pointer subtraction within the object might overflow ptrdiff_t | |
270 | resulting in undefined behavior. To prevent it malloc function fail | |
271 | for such allocations. */ | |
272 | for (size_t i = 1; i <= FOURTEEN_ON_BITS; i++) | |
273 | { | |
274 | test_large_allocations (PTRDIFF_MAX + i); | |
275 | test_large_aligned_allocations (PTRDIFF_MAX + i); | |
276 | } | |
277 | ||
8e448310 AS |
278 | #if __WORDSIZE >= 64 |
279 | /* On 64-bit targets, we need to test a much wider range of too-large | |
280 | sizes, so we test at intervals of (1 << 50) that allocation sizes | |
281 | ranging from SIZE_MAX down to (1 << 50) fail: | |
282 | The 14 MSBs are decremented starting from "all ON" going down to 1, | |
283 | the 50 LSBs are "all ON" and then "all OFF" during every iteration. */ | |
284 | for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--) | |
285 | { | |
286 | size_t size = (msbs << 50) | FIFTY_ON_BITS; | |
287 | test_large_allocations (size); | |
288 | test_large_aligned_allocations (size); | |
289 | ||
290 | size = msbs << 50; | |
291 | test_large_allocations (size); | |
292 | test_large_aligned_allocations (size); | |
293 | } | |
294 | #endif /* __WORDSIZE >= 64 */ | |
295 | ||
296 | DIAG_POP_NEEDS_COMMENT; | |
297 | ||
298 | return 0; | |
299 | } | |
300 | ||
301 | ||
302 | #include <support/test-driver.c> |