malloc: Always call memcpy in _int_realloc [BZ #24027]

This commit removes the custom memcpy implementation from _int_realloc
for small chunk sizes.  The ncopies variable has the wrong type, and
an integer wraparound could cause the existing code to copy too few
elements (leaving the new memory region mostly uninitialized).
Therefore, removing this code fixes bug 24027.

(cherry picked from commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84)

diff --git a/ChangeLog b/ChangeLog
index c7a04d87178a3e27ee730feb2adca9df10e54f12..ec7dcc67b278f7eafac9b132d8ce68dd36110ddb 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-12-31  Florian Weimer  <fw@deneb.enyo.de>
+
+       [BZ #24027]
+       * malloc/malloc.c (_int_realloc): Always call memcpy for the
+       copying operation.  (ncopies had the wrong type, resulting in an
+       integer wraparound and too few elements being copied.)
+
 2018-12-28  Aurelien Jarno  <aurelien@aurel32.net>
 
        * sysdeps/alpha/fpu/libm-test-ulps: Regenerated.

diff --git a/NEWS b/NEWS
index 05f7342fcbc1eecdf93e81091e1cc3c2bcf40b8b..d350d4666a845fef014a23b5b084976bc778f0a5 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,7 @@ The following bugs are resolved with this release:
   [23822] ia64 static libm.a is missing exp2f, log2f and powf symbols
   [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
   [23972] __old_getdents64 uses wrong d_off value on overflow
+  [24027] malloc: Integer overflow in realloc
 
 Security related changes:
 

diff --git a/malloc/malloc.c b/malloc/malloc.c
index dad0e737357895307832f8e1123e5c3b194ae67a..27cf6137c252a9ab9aef2c6d062d0ba3eae26e99 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4544,11 +4544,6 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
   mchunkptr        bck;             /* misc temp for linking */
   mchunkptr        fwd;             /* misc temp for linking */
 
-  unsigned long    copysize;        /* bytes to copy */
-  unsigned int     ncopies;         /* INTERNAL_SIZE_T words to copy */
-  INTERNAL_SIZE_T* s;               /* copy source */
-  INTERNAL_SIZE_T* d;               /* copy destination */
-
   /* oldmem size */
   if (__builtin_expect (chunksize_nomask (oldp) <= 2 * SIZE_SZ, 0)
       || __builtin_expect (oldsize >= av->system_mem, 0))
@@ -4616,43 +4611,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
             }
           else
             {
-              /*
-                 Unroll copy of <= 36 bytes (72 if 8byte sizes)
-                 We know that contents have an odd number of
-                 INTERNAL_SIZE_T-sized words; minimally 3.
-               */
-
-              copysize = oldsize - SIZE_SZ;
-              s = (INTERNAL_SIZE_T *) (chunk2mem (oldp));
-              d = (INTERNAL_SIZE_T *) (newmem);
-              ncopies = copysize / sizeof (INTERNAL_SIZE_T);
-              assert (ncopies >= 3);
-
-              if (ncopies > 9)
-                memcpy (d, s, copysize);
-
-              else
-                {
-                  *(d + 0) = *(s + 0);
-                  *(d + 1) = *(s + 1);
-                  *(d + 2) = *(s + 2);
-                  if (ncopies > 4)
-                    {
-                      *(d + 3) = *(s + 3);
-                      *(d + 4) = *(s + 4);
-                      if (ncopies > 6)
-                        {
-                          *(d + 5) = *(s + 5);
-                          *(d + 6) = *(s + 6);
-                          if (ncopies > 8)
-                            {
-                              *(d + 7) = *(s + 7);
-                              *(d + 8) = *(s + 8);
-                            }
-                        }
-                    }
-                }
-
+             memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ);
               _int_free (av, oldp, 1);
               check_inuse_chunk (av, newp);
               return chunk2mem (newp);