From patchwork Tue Aug 20 08:24:52 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Will Newton <will.newton@linaro.org>
X-Patchwork-Id: 19347
Return-Path: <patchwork-forward+bncBCXPZFGDUEJBBWGPZSIAKGQEXZU4CXY@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-qa0-f72.google.com (mail-qa0-f72.google.com
 [209.85.216.72])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id E67F72468F
 for <linaro@patches.linaro.org>; Tue, 20 Aug 2013 08:24:56 +0000 (UTC)
Received: by mail-qa0-f72.google.com with SMTP id o19sf414385qap.7
 for <linaro@patches.linaro.org>; Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=x-gm-message-state:delivered-to:message-id:date:from:user-agent
 :mime-version:to:cc:subject:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe:content-type
 :content-transfer-encoding;
 bh=dp2eRVrJ+AUyadXmqVBZUlOVb8AIX6KG8sCmW7yWF8g=;
 b=F+6+kIsxghRVeKPJNHPRE4OPtSmlY7+emz7y21e5wWcyDHTQRCL4Ydh923oz3bNVhE
 pfYykelNXn64qywiJwoRp/LxCQbQaz3dE3SvixsZjiuShwNKCJWI3JwvlMNUc0MP2wsS
 UgJS9quTzEsW+9LydcNz+PvCcIg/XezUD2NflWE2UfNPvkO902PtLBhFCAcKoW3ocbXo
 yZ9sumczPd0KjJQUXxd1UI23SF4AI1tc+wdoCZoSbnGomqXywyS1/9Yx5VVZTP9LD+NU
 /ooI9lk20NfN0oU2uYrRCQesFFc2KZCz3RAeUBHem8ByZzk6cpjApqh/RxjCQAkSCnTl
 e9vQ==
X-Received: by 10.236.108.233 with SMTP id q69mr217972yhg.11.1376987096766; 
 Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.49.71.49 with SMTP id r17ls147060qeu.51.gmail; Tue, 20 Aug
 2013 01:24:56 -0700 (PDT)
X-Received: by 10.52.120.7 with SMTP id ky7mr118792vdb.12.1376987096636;
 Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
Received: from mail-ve0-f172.google.com (mail-ve0-f172.google.com
 [209.85.128.172])
 by mx.google.com with ESMTPS id xz7si92267vcb.50.1969.12.31.16.00.00
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.128.172 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.128.172; 
Received: by mail-ve0-f172.google.com with SMTP id oz10so70916veb.31
 for <patchwork-forward@linaro.org>;
 Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
X-Gm-Message-State: ALoCoQlhuX8KdpCWsgS9TewnYNXcT+DJGGxIIXlbm3yVcDhMUBsgCnvnkW0D2EA3muu+Xnz3RDqm
X-Received: by 10.58.196.132 with SMTP id im4mr125771vec.28.1376987096568;
 Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp143138vcz;
 Tue, 20 Aug 2013 01:24:56 -0700 (PDT)
X-Received: by 10.14.208.194 with SMTP id q42mr554413eeo.31.1376987095685;
 Tue, 20 Aug 2013 01:24:55 -0700 (PDT)
Received: from mail-ee0-f48.google.com (mail-ee0-f48.google.com
 [74.125.83.48]) by mx.google.com with ESMTPS id
 l42si311595eef.358.1969.12.31.16.00.00
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 20 Aug 2013 01:24:55 -0700 (PDT)
Received-SPF: neutral (google.com: 74.125.83.48 is neither permitted nor
 denied by best guess record for domain of
 will.newton@linaro.org) client-ip=74.125.83.48; 
Received: by mail-ee0-f48.google.com with SMTP id l10so56680eei.21
 for <patches@linaro.org>; Tue, 20 Aug 2013 01:24:55 -0700 (PDT)
X-Received: by 10.14.115.133 with SMTP id e5mr561771eeh.27.1376987095161;
 Tue, 20 Aug 2013 01:24:55 -0700 (PDT)
Received: from localhost.localdomain
 (cpc6-seac21-2-0-cust453.7-2.cable.virginmedia.com. [82.1.113.198])
 by mx.google.com with ESMTPSA id d8sm628904eeh.8.1969.12.31.16.00.00
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Tue, 20 Aug 2013 01:24:54 -0700 (PDT)
Message-ID: <521327D4.7020006@linaro.org>
Date: Tue, 20 Aug 2013 09:24:52 +0100
From: Will Newton <will.newton@linaro.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:17.0) Gecko/20130805 Thunderbird/17.0.8
MIME-Version: 1.0
To: libc-alpha@sourceware.org
CC: patches@linaro.org
Subject: [PATCH v2] [BZ #15856] malloc: Check for integer overflow in valloc.
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: will.newton@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.128.172 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.

ChangeLog:

2013-08-16  Will Newton  <will.newton@linaro.org>

	[BZ #15856]
	* malloc/malloc.c (__libc_valloc): Check the value of bytes
	does not overflow.
---
 malloc/malloc.c | 4 ++++
 1 file changed, 4 insertions(+)

Changes in v2:
 - Add BZ number

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 7468758..9aecc85 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3046,6 +3046,10 @@ __libc_valloc(size_t bytes)

   size_t pagesz = GLRO(dl_pagesize);

+  /* Check for overflow.  */
+  if (bytes + pagesz + MINSIZE < bytes)
+    return 0;
+
   void *(*hook) (size_t, size_t, const void *) =
     force_reg (__memalign_hook);
   if (__builtin_expect (hook != NULL, 0))