From patchwork Tue Aug 20 08:24:46 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Newton X-Patchwork-Id: 19346 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ye0-f197.google.com (mail-ye0-f197.google.com [209.85.213.197]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 7FE0B2468F for ; Tue, 20 Aug 2013 08:24:51 +0000 (UTC) Received: by mail-ye0-f197.google.com with SMTP id q8sf112222yen.4 for ; Tue, 20 Aug 2013 01:24:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:delivered-to:message-id:date:from:user-agent :mime-version:to:cc:subject:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe:content-type :content-transfer-encoding; bh=3sJX5Pvqv1xrao9zQtU0JQT+JCyNCaqmdGqnYrEgk2Q=; b=DRhPgfNZoAh4ySC3Kp2q5GJwujQE23BLZhsWxWsseZtLZn0J4/LSCp8hvS3UApOq6D AVS3smU2TW90R2lr29CDJyRJHRkNuHyefMi3W2vUowfyWj/OD6KT1HrdQBTmvrL9fOOH IrKT2p7CWemK/6HQRiQ85v0JS+wwfiq6Zkj5GGSo2t37+b4zU5qrQoywD1n4k5/ASggm v0wSYnjC0dWxViDFd7fRrj9gO6DrPECTnZp4shzU+K1QEoGm3OI9pKlGmcD0YpPWaJk5 f6S2wEy1HUa6uzmqRQVZP+0ePC0a9J1Urk8I+AKG5IH3X/Z2eEz627IP4kkNPYB2V4tM i0+g== X-Received: by 10.236.189.167 with SMTP id c27mr204858yhn.28.1376987091254; Tue, 20 Aug 2013 01:24:51 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.49.97.66 with SMTP id dy2ls128622qeb.85.gmail; Tue, 20 Aug 2013 01:24:51 -0700 (PDT) X-Received: by 10.58.56.230 with SMTP id d6mr119663veq.45.1376987091130; Tue, 20 Aug 2013 01:24:51 -0700 (PDT) Received: from mail-ve0-f173.google.com (mail-ve0-f173.google.com [209.85.128.173]) by mx.google.com with ESMTPS id tg9si84586vcb.107.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 20 Aug 2013 01:24:51 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.128.173 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.128.173; Received: by mail-ve0-f173.google.com with SMTP id cy12so70717veb.32 for ; Tue, 20 Aug 2013 01:24:51 -0700 (PDT) X-Gm-Message-State: ALoCoQkBb3fnh+gPJCaJYtnJbL5vzmm/eEmR4Iv4DLxktowVCqe9I1cCBqj0z30SxlZjH81btEdG X-Received: by 10.58.218.225 with SMTP id pj1mr129556vec.24.1376987091054; Tue, 20 Aug 2013 01:24:51 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.174.196 with SMTP id u4csp143132vcz; Tue, 20 Aug 2013 01:24:50 -0700 (PDT) X-Received: by 10.14.6.5 with SMTP id 5mr233763eem.77.1376987090069; Tue, 20 Aug 2013 01:24:50 -0700 (PDT) Received: from mail-ee0-f43.google.com (mail-ee0-f43.google.com [74.125.83.43]) by mx.google.com with ESMTPS id o7si344713eep.198.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 20 Aug 2013 01:24:50 -0700 (PDT) Received-SPF: neutral (google.com: 74.125.83.43 is neither permitted nor denied by best guess record for domain of will.newton@linaro.org) client-ip=74.125.83.43; Received: by mail-ee0-f43.google.com with SMTP id e52so57700eek.2 for ; Tue, 20 Aug 2013 01:24:49 -0700 (PDT) X-Received: by 10.14.122.69 with SMTP id s45mr513582eeh.58.1376987089533; Tue, 20 Aug 2013 01:24:49 -0700 (PDT) Received: from localhost.localdomain (cpc6-seac21-2-0-cust453.7-2.cable.virginmedia.com. [82.1.113.198]) by mx.google.com with ESMTPSA id d8sm628612eeh.8.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 20 Aug 2013 01:24:48 -0700 (PDT) Message-ID: <521327CE.2040705@linaro.org> Date: Tue, 20 Aug 2013 09:24:46 +0100 From: Will Newton User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: libc-alpha@sourceware.org CC: patches@linaro.org Subject: [PATCH v2] [BZ #15857] malloc: Check for integer overflow in memalign. X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: will.newton@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.128.173 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-08-16 Will Newton [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow. --- malloc/malloc.c | 4 ++++ 1 file changed, 4 insertions(+) Changes in v2: - Add BZ number diff --git a/malloc/malloc.c b/malloc/malloc.c index 9aecc85..8c1aab8 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,10 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes + alignment + MINSIZE < bytes) + return 0; + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0;