Explicitly limit the OPENSSL_aligned_alloc()'s alignment to 65536

There is little need to support alignments larger than a page size,
and the open-coded OPENSSL_aligned_alloc() implementation implements
that support in quite wasteful manner, so it is better just to limit
the maximum supported alignment explicitly.  The value of 65536
has been chosen so it is architecture-agnostic and is no less than page sizes
used in commonly occurring architectures (and also it is a pretty number).

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)

diff --git a/crypto/aligned_alloc.c b/crypto/aligned_alloc.c
index dcc2b406a20c32036c1e1d96a16ea6f07629c93b..f2eed13c6c8e92e577935e03fd8c45a34fbc5bc4 100644 (file)
--- a/crypto/aligned_alloc.c
+++ b/crypto/aligned_alloc.c
@@ -21,8 +21,9 @@ void *ossl_malloc_align(size_t num, size_t alignment, void **freeptr,
 
     *freeptr = NULL;
 
-    /* Ensure that alignment is a power of two */
-    if (alignment == 0 || (alignment & (alignment - 1)) != 0) {
+    /* Ensure that alignment is a power of two no larger than 65536 */
+    if (alignment == 0 || (alignment & (alignment - 1)) != 0
+        || alignment > 65536) {
         ossl_report_alloc_err_inv(file, line);
         return NULL;
     }

diff --git a/crypto/mem.c b/crypto/mem.c
index 681cecfadfd6469c1caa7f734d5d66f9739c4f34..f772e6c46166715b213dec0f94d0aa49856231a3 100644 (file)
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -233,8 +233,9 @@ void *CRYPTO_aligned_alloc(size_t num, size_t alignment, void **freeptr,
 {
     *freeptr = NULL;
 
-    /* Ensure that alignment is a power of two */
-    if (alignment == 0 || (alignment & (alignment - 1)) != 0) {
+    /* Ensure that alignment is a power of two no larger than 65536 */
+    if (alignment == 0 || (alignment & (alignment - 1)) != 0
+        || alignment > 65536) {
         ossl_report_alloc_err_inv(file, line);
         return NULL;
     }

diff --git a/doc/man3/OPENSSL_malloc.pod b/doc/man3/OPENSSL_malloc.pod
index 63b7cfd29c83c60bc02a8af340d0d08af73cd04b..5ddc6e4a6c09596a2e1e74ee29e853aad7b68c6f 100644 (file)
--- a/doc/man3/OPENSSL_malloc.pod
+++ b/doc/man3/OPENSSL_malloc.pod
@@ -125,7 +125,7 @@ OPENSSL_zalloc() calls memset() to zero the memory before returning.
 OPENSSL_aligned_alloc() operates just as OPENSSL_malloc() does, but it
 allows for the caller to specify an alignment value, for instances in
 which the default alignment of malloc is insufficient for the caller's
-needs.  Note, the alignment value must be a power of 2.
+needs.  Note, the alignment value must be a power of 2 no larger than 65536.
 NOTE: the call to OPENSSL_aligned_alloc() accepts a 3rd argument, I<freeptr>
 which must point to a void pointer.  On some platforms, there is no available
 library call to obtain memory allocations with alignment greater than what
@@ -311,6 +311,9 @@ was built with C<OPENSSL_SMALL_FOOTPRINT> macro defined.  Consequently,
 the caller may need to fall back to a non-aligned memory allocation
 (and open-code the alignment routine if the alignment is a requirement).
 
+Before OpenSSL 4.0, the call to OPENSSL_aligned_alloc() did not have
+an explicit upper limit on the value of I<alignment>.
+
 =head1 COPYRIGHT
 
 Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/test/mem_alloc_test.c b/test/mem_alloc_test.c
index 30c479cd80aab66477d9dcebc918721d5c3f9ccb..98283121a64941c1b5479d529cf6dfcefc053917 100644 (file)
--- a/test/mem_alloc_test.c
+++ b/test/mem_alloc_test.c
@@ -173,6 +173,8 @@ static const struct array_aligned_alloc_vector {
 
     { 8, 8, 63, EXP_INVAL, EXP_INVAL },
     { 8, 8, 64, EXP_NONNULL, EXP_NONNULL },
+    { 3, 4, 65536, EXP_NONNULL, EXP_NONNULL },
+    { 8, 8, 131072, EXP_INVAL, EXP_INVAL },
     { SIZE_MAX / 8 + 9, 8, 64, EXP_NONNULL, EXP_INT_OF },
 
     /*