[v3,BZ,#15857] malloc: Check for integer overflow in memalign.

Message ID 522F1BA7.7070102@linaro.org
State Accepted
Headers show

Commit Message

Will Newton Sept. 10, 2013, 1:16 p.m.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.

ChangeLog:

2013-08-16  Will Newton  <will.newton@linaro.org>

	[BZ #15857]
	* malloc/malloc.c (__libc_memalign): Check the value of bytes
	does not overflow.
---
 malloc/malloc.c | 7 +++++++
 1 file changed, 7 insertions(+)

Changes in v3:
 - Reorder if condition
 - Set errno appropriately

Comments

Siddhesh Poyarekar Sept. 10, 2013, 1:34 p.m. | #1
On 10 September 2013 18:46, Will Newton <will.newton@linaro.org> wrote:
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index 3148c5f..f7718a9 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
>    /* Otherwise, ensure that it is at least a minimum chunk size */
>    if (alignment <  MINSIZE) alignment = MINSIZE;
>
> +  /* Check for overflow.  */
> +  if (bytes > SIZE_MAX - alignment - MINSIZE)
> +    {
> +      __set_errno (ENOMEM);
> +      return 0;
> +    }
> +
>    arena_get(ar_ptr, bytes + alignment + MINSIZE);
>    if(!ar_ptr)
>      return 0;

Looks OK to me.

Siddhesh
Will Newton Sept. 11, 2013, 10:02 a.m. | #2
On 10 September 2013 14:34, Siddhesh Poyarekar
<siddhesh.poyarekar@gmail.com> wrote:
> On 10 September 2013 18:46, Will Newton <will.newton@linaro.org> wrote:
>> diff --git a/malloc/malloc.c b/malloc/malloc.c
>> index 3148c5f..f7718a9 100644
>> --- a/malloc/malloc.c
>> +++ b/malloc/malloc.c
>> @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
>>    /* Otherwise, ensure that it is at least a minimum chunk size */
>>    if (alignment <  MINSIZE) alignment = MINSIZE;
>>
>> +  /* Check for overflow.  */
>> +  if (bytes > SIZE_MAX - alignment - MINSIZE)
>> +    {
>> +      __set_errno (ENOMEM);
>> +      return 0;
>> +    }
>> +
>>    arena_get(ar_ptr, bytes + alignment + MINSIZE);
>>    if(!ar_ptr)
>>      return 0;
>
> Looks OK to me.

Thanks Siddhesh. I've applied the fixes for pvalloc, valloc and memalign.

These patches should also apply cleanly to 2.18, should I cherry pick
them there too?

Also I am not sure if it is worth allocating a CVE number for these
issues - pvalloc and valloc seem very rarely used but memalign and
posix_memalign are more common.
Siddhesh Poyarekar Sept. 11, 2013, 10:18 a.m. | #3
On 11 September 2013 15:32, Will Newton <will.newton@linaro.org> wrote:
> These patches should also apply cleanly to 2.18, should I cherry pick
> them there too?

David owns 2.18, so he can take that call.

> Also I am not sure if it is worth allocating a CVE number for these
> issues - pvalloc and valloc seem very rarely used but memalign and
> posix_memalign are more common.

It would be useful to allocate a CVE number.  The fact that pvalloc
and valloc are rarely used doesn't matter in this decision - it
matters when evaluating the impact of the bug.

Siddhesh
Will Newton Sept. 11, 2013, 10:32 a.m. | #4
On 11 September 2013 11:18, Siddhesh Poyarekar
<siddhesh.poyarekar@gmail.com> wrote:

>> Also I am not sure if it is worth allocating a CVE number for these
>> issues - pvalloc and valloc seem very rarely used but memalign and
>> posix_memalign are more common.
>
> It would be useful to allocate a CVE number.  The fact that pvalloc
> and valloc are rarely used doesn't matter in this decision - it
> matters when evaluating the impact of the bug.

I'm not sure what the process is here, MAINTAINERS on the wiki has a
link to CERT, but I aware that there are folks who work for CVE
issuing authorities on this list. ;-)
Siddhesh Poyarekar Sept. 11, 2013, 10:45 a.m. | #5
On 11 September 2013 16:02, Will Newton <will.newton@linaro.org> wrote:
> I'm not sure what the process is here, MAINTAINERS on the wiki has a
> link to CERT, but I aware that there are folks who work for CVE
> issuing authorities on this list. ;-)

I've seen people emailing requests for CVE numbers on the oss-security
mailing list (oss-security at lists dot openwall dot com).

Siddhesh

Patch

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 3148c5f..f7718a9 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3015,6 +3015,13 @@  __libc_memalign(size_t alignment, size_t bytes)
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;

+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   arena_get(ar_ptr, bytes + alignment + MINSIZE);
   if(!ar_ptr)
     return 0;