From patchwork Tue Sep 10 13:16:23 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Newton X-Patchwork-Id: 19900 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-qc0-f200.google.com (mail-qc0-f200.google.com [209.85.216.200]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 5A28E25A72 for ; Tue, 10 Sep 2013 13:16:28 +0000 (UTC) Received: by mail-qc0-f200.google.com with SMTP id x20sf8971671qcv.3 for ; Tue, 10 Sep 2013 06:16:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:message-id:date:from:user-agent :mime-version:to:cc:subject:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe:content-type :content-transfer-encoding; bh=sqAE0ZQ6RbJ8/Ku04Aw4umt36SFN2qOqwTHLaWjxwGU=; b=VFld1R/7xZt7JkfAN3xd2DVi/OlbaVKWelq/8RUKP7UMJfg5TbQNUXbIR1jGJhl6dT j3kIDB5MuHxsTs4Lzs+429xSHcfyBurhL/JryE018NzrBgRh2xWxZtSO0siIfsBVmLhE aE40ytYl2lCr42UGvHtKlCT88t/JevvJS02ad3lOVzNnXQ6on0qP5t5pgD2zqYhGa6Xh WUlJoY+nQtWv8zgLxVv3h5nVgkKOYxINa++q01keIwUpe+rCw3+VrM5v6Qp5WFMMip8E OF8aM5PZahvCNYS/5rdUZpe5sorTzqiw+zTwLSvuOM8f9V58C2kvBhRkTm4HK9KJjzCP qZuA== X-Received: by 10.236.209.103 with SMTP id r67mr8888234yho.35.1378818988006; Tue, 10 Sep 2013 06:16:28 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.49.53.103 with SMTP id a7ls2193005qep.90.gmail; Tue, 10 Sep 2013 06:16:27 -0700 (PDT) X-Received: by 10.220.105.199 with SMTP id u7mr22423320vco.1.1378818987754; Tue, 10 Sep 2013 06:16:27 -0700 (PDT) Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by mx.google.com with ESMTPS id cp3si902767vcb.133.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 06:16:27 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.212.44 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.212.44; Received: by mail-vb0-f44.google.com with SMTP id e13so4929394vbg.17 for ; Tue, 10 Sep 2013 06:16:27 -0700 (PDT) X-Gm-Message-State: ALoCoQmhEXjgMQHqLJtDtPjqYRulImSqZ8yMzEly1/TJJDpN7EIn1uczhngcwXUngrOfvP+S1Ibb X-Received: by 10.220.237.208 with SMTP id kp16mr22830273vcb.4.1378818987657; Tue, 10 Sep 2013 06:16:27 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.174.196 with SMTP id u4csp821vcz; Tue, 10 Sep 2013 06:16:27 -0700 (PDT) X-Received: by 10.194.219.1 with SMTP id pk1mr6035826wjc.36.1378818986745; Tue, 10 Sep 2013 06:16:26 -0700 (PDT) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) by mx.google.com with ESMTPS id v2si6937210wjz.75.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Sep 2013 06:16:26 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.212.176 is neither permitted nor denied by best guess record for domain of will.newton@linaro.org) client-ip=209.85.212.176; Received: by mail-wi0-f176.google.com with SMTP id cb5so661013wib.9 for ; Tue, 10 Sep 2013 06:16:26 -0700 (PDT) X-Received: by 10.194.178.166 with SMTP id cz6mr1621881wjc.53.1378818986196; Tue, 10 Sep 2013 06:16:26 -0700 (PDT) Received: from localhost.localdomain (cpc6-seac21-2-0-cust453.7-2.cable.virginmedia.com. [82.1.113.198]) by mx.google.com with ESMTPSA id w19sm3493977wia.5.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 10 Sep 2013 06:16:25 -0700 (PDT) Message-ID: <522F1BA7.7070102@linaro.org> Date: Tue, 10 Sep 2013 14:16:23 +0100 From: Will Newton User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: libc-alpha@sourceware.org CC: patches@linaro.org Subject: [PATCH v3] [BZ #15857] malloc: Check for integer overflow in memalign. X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: will.newton@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.212.44 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-08-16 Will Newton [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow. --- malloc/malloc.c | 7 +++++++ 1 file changed, 7 insertions(+) Changes in v3: - Reorder if condition - Set errno appropriately diff --git a/malloc/malloc.c b/malloc/malloc.c index 3148c5f..f7718a9 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes) /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0;