From patchwork Mon Aug 19 19:46:46 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Newton X-Patchwork-Id: 19333 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-qe0-f69.google.com (mail-qe0-f69.google.com [209.85.128.69]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 6A9922469E for ; Mon, 19 Aug 2013 19:46:50 +0000 (UTC) Received: by mail-qe0-f69.google.com with SMTP id 1sf6158236qec.4 for ; Mon, 19 Aug 2013 12:46:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:delivered-to:message-id:date:from:user-agent :mime-version:to:cc:subject:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe:content-type :content-transfer-encoding; bh=ZNXqq3us+gErfE09d8l+wFdiqVYhnQdRtZAL+fbyZSU=; b=JadNd7rD2KxY5gvJFMIEKpKlVPUyBFXTYF79iAVHtpUhb3Kr4aPzfIRzV/aFZcugnz DDPOub4OJjYTa+qoC2E9VIm+e2lUCv5jDxFNMIKbGsi1Gm4Ik2eE9hACqdiU3Yp4+4XF k1G1e/iYSQ3dXAICH004XqBj8bMv++v+HaYewZNvP4ZVDYO5BoGfsKjS00BhIp9kL1IX TppXo5k5Z0e896Wg6B2wna9iS/lG3dkX2kL/K2NIN4nHPC8unozizHOGBNkeNLEZxEmB qO62f0Svhi1PkYEt6K56OJVuqz7cWW3RP1Ea0MVRDV3u9NLA6qoK5wVBMhDKNCNWvMMa bd8A== X-Received: by 10.236.69.35 with SMTP id m23mr1901916yhd.6.1376941610274; Mon, 19 Aug 2013 12:46:50 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.49.26.6 with SMTP id h6ls1768421qeg.99.gmail; Mon, 19 Aug 2013 12:46:50 -0700 (PDT) X-Received: by 10.58.67.9 with SMTP id j9mr4119608vet.22.1376941610148; Mon, 19 Aug 2013 12:46:50 -0700 (PDT) Received: from mail-ve0-f178.google.com (mail-ve0-f178.google.com [209.85.128.178]) by mx.google.com with ESMTPS id oz2si2732317veb.46.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 19 Aug 2013 12:46:50 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.128.178 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.128.178; Received: by mail-ve0-f178.google.com with SMTP id ox1so2646547veb.9 for ; Mon, 19 Aug 2013 12:46:50 -0700 (PDT) X-Gm-Message-State: ALoCoQkQYRTKN1Xfte9E2/jI1V4RDCYHha7+jCSBOVqPsUO70hzt1CkVcUGhj8ZWl+2ilx1I1wis X-Received: by 10.58.73.202 with SMTP id n10mr15115431vev.7.1376941610069; Mon, 19 Aug 2013 12:46:50 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.174.196 with SMTP id u4csp114171vcz; Mon, 19 Aug 2013 12:46:49 -0700 (PDT) X-Received: by 10.14.219.198 with SMTP id m46mr24950663eep.41.1376941609079; Mon, 19 Aug 2013 12:46:49 -0700 (PDT) Received: from mail-ee0-f52.google.com (mail-ee0-f52.google.com [74.125.83.52]) by mx.google.com with ESMTPS id 41si11050298eee.167.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 19 Aug 2013 12:46:49 -0700 (PDT) Received-SPF: neutral (google.com: 74.125.83.52 is neither permitted nor denied by best guess record for domain of will.newton@linaro.org) client-ip=74.125.83.52; Received: by mail-ee0-f52.google.com with SMTP id c41so2361665eek.11 for ; Mon, 19 Aug 2013 12:46:48 -0700 (PDT) X-Received: by 10.14.108.9 with SMTP id p9mr25279438eeg.8.1376941608562; Mon, 19 Aug 2013 12:46:48 -0700 (PDT) Received: from localhost.localdomain (cpc6-seac21-2-0-cust453.7-2.cable.virginmedia.com. [82.1.113.198]) by mx.google.com with ESMTPSA id a6sm19511559eei.10.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 19 Aug 2013 12:46:47 -0700 (PDT) Message-ID: <52127626.6050203@linaro.org> Date: Mon, 19 Aug 2013 20:46:46 +0100 From: Will Newton User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: libc-alpha@sourceware.org CC: patches@linaro.org Subject: [PATCH 2/7] malloc/malloc.c: Check for integer overflow in valloc. X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: will.newton@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.128.178 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , A large bytes parameter to valloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-08-16 Will Newton * malloc/malloc.c (__libc_valloc): Check the value of bytes does not overflow. --- malloc/malloc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index 7468758..9aecc85 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3046,6 +3046,10 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes + pagesz + MINSIZE < bytes) + return 0; + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0))