malloc: Always call memcpy in _int_realloc [BZ #24027]

This commit removes the custom memcpy implementation from _int_realloc
for small chunk sizes.  The ncopies variable has the wrong type, and
an integer wraparound could cause the existing code to copy too few
elements (leaving the new memory region mostly uninitialized).
Therefore, removing this code fixes bug 24027.

(cherry picked from commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84)

diff --git a/ChangeLog b/ChangeLog
index 043e589364b424022d0ccbb52fb75ce10fd04fa5..4295c42db929bb33f2a89792a2a144b26c8672a7 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-12-31  Florian Weimer  <fw@deneb.enyo.de>
+
+       [BZ #24027]
+       * malloc/malloc.c (_int_realloc): Always call memcpy for the
+       copying operation.  (ncopies had the wrong type, resulting in an
+       integer wraparound and too few elements being copied.)
+
 2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
 
        * sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):

diff --git a/NEWS b/NEWS
index abe90d1422f1148368419e68f2071f3237d60752..ac22222a7c83550c8bcd5f3adc9f08979c694321 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -85,6 +85,7 @@ The following bugs are resolved with this release:
   [22715] x86-64: Properly align La_x86_64_retval to VEC_SIZE
   [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
   [23538] pthread_cond_broadcast: Fix waiters-after-spinning case
+  [24027] malloc: Integer overflow in realloc
 \f
 Version 2.25
 

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 0686e5de8e10fd25d5fa88830d23e7a0d3f9d2f8..5cbdaef86376039256c6fc8490e501f97c31c95e 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4250,11 +4250,6 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
   mchunkptr        bck;             /* misc temp for linking */
   mchunkptr        fwd;             /* misc temp for linking */
 
-  unsigned long    copysize;        /* bytes to copy */
-  unsigned int     ncopies;         /* INTERNAL_SIZE_T words to copy */
-  INTERNAL_SIZE_T* s;               /* copy source */
-  INTERNAL_SIZE_T* d;               /* copy destination */
-
   const char *errstr = NULL;
 
   /* oldmem size */
@@ -4332,43 +4327,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
             }
           else
             {
-              /*
-                 Unroll copy of <= 36 bytes (72 if 8byte sizes)
-                 We know that contents have an odd number of
-                 INTERNAL_SIZE_T-sized words; minimally 3.
-               */
-
-              copysize = oldsize - SIZE_SZ;
-              s = (INTERNAL_SIZE_T *) (chunk2mem (oldp));
-              d = (INTERNAL_SIZE_T *) (newmem);
-              ncopies = copysize / sizeof (INTERNAL_SIZE_T);
-              assert (ncopies >= 3);
-
-              if (ncopies > 9)
-                memcpy (d, s, copysize);
-
-              else
-                {
-                  *(d + 0) = *(s + 0);
-                  *(d + 1) = *(s + 1);
-                  *(d + 2) = *(s + 2);
-                  if (ncopies > 4)
-                    {
-                      *(d + 3) = *(s + 3);
-                      *(d + 4) = *(s + 4);
-                      if (ncopies > 6)
-                        {
-                          *(d + 5) = *(s + 5);
-                          *(d + 6) = *(s + 6);
-                          if (ncopies > 8)
-                            {
-                              *(d + 7) = *(s + 7);
-                              *(d + 8) = *(s + 8);
-                            }
-                        }
-                    }
-                }
-
+             memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ);
               _int_free (av, oldp, 1);
               check_inuse_chunk (av, newp);
               return chunk2mem (newp);