git.ipfire.org Git - thirdparty/glibc.git/commit

author	Arjun Shankar <arjun.is@lostca.se>
	Thu, 18 Jan 2018 16:47:06 +0000 (16:47 +0000)
committer	Arjun Shankar <arjun@redhat.com>
	Thu, 18 Jan 2018 16:55:45 +0000 (17:55 +0100)
commit	8e448310d74b283c5cd02b9ed7fb997b47bf9b22
tree	a5cb99be6773177cf14683cbf10ecbc34a7dc82c	tree \| snapshot
parent	80647883cf5847c8b6b0197e9703eb04222496b6	commit \| diff

Fix integer overflows in internal memalign and malloc functions [BZ #22343]

When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
and a requested size close to SIZE_MAX, it falls back to malloc code
(because the alignment of a block returned by malloc is sufficient to
satisfy the call). In this case, an integer overflow in _int_malloc leads
to posix_memalign incorrectly returning successfully.

Upon fixing this and writing a somewhat thorough regression test, it was
discovered that when posix_memalign is called with an alignment larger than
MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
close to SIZE_MAX, a different integer overflow in _int_memalign leads to
posix_memalign incorrectly returning successfully.

Both integer overflows affect other memory allocation functions that use
_int_malloc (one affected malloc in x86) or _int_memalign as well.

This commit fixes both integer overflows. In addition to this, it adds a
regression test to guard against false successful allocations by the
following memory allocation functions when called with too-large allocation
sizes and, where relevant, various valid alignments:
malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
aligned_alloc, valloc, and pvalloc.

ChangeLog		diff \| blob \| blame \| history
malloc/Makefile		diff \| blob \| blame \| history
malloc/malloc.c		diff \| blob \| blame \| history
malloc/tst-malloc-too-large.c	[new file with mode: 0644]	blob