c6d234
The upstream patch is backported by excluding tests for reallocarray because
c6d234
this function is not present in RHEL-7.
c6d234
c6d234
commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22
c6d234
Author: Arjun Shankar <arjun.is@lostca.se>
c6d234
Date:   Thu Jan 18 16:47:06 2018 +0000
c6d234
c6d234
    Fix integer overflows in internal memalign and malloc functions [BZ #22343]
c6d234
    
c6d234
    When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
c6d234
    and a requested size close to SIZE_MAX, it falls back to malloc code
c6d234
    (because the alignment of a block returned by malloc is sufficient to
c6d234
    satisfy the call).  In this case, an integer overflow in _int_malloc leads
c6d234
    to posix_memalign incorrectly returning successfully.
c6d234
    
c6d234
    Upon fixing this and writing a somewhat thorough regression test, it was
c6d234
    discovered that when posix_memalign is called with an alignment larger than
c6d234
    MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
c6d234
    close to SIZE_MAX, a different integer overflow in _int_memalign leads to
c6d234
    posix_memalign incorrectly returning successfully.
c6d234
    
c6d234
    Both integer overflows affect other memory allocation functions that use
c6d234
    _int_malloc (one affected malloc in x86) or _int_memalign as well.
c6d234
    
c6d234
    This commit fixes both integer overflows.  In addition to this, it adds a
c6d234
    regression test to guard against false successful allocations by the
c6d234
    following memory allocation functions when called with too-large allocation
c6d234
    sizes and, where relevant, various valid alignments:
c6d234
    malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
c6d234
    aligned_alloc, valloc, and pvalloc.
c6d234
c6d234
Index: b/malloc/Makefile
c6d234
===================================================================
c6d234
--- a/malloc/Makefile
c6d234
+++ b/malloc/Makefile
c6d234
@@ -38,6 +38,7 @@ tests := mallocbug tst-malloc tst-valloc
c6d234
 	 tst-dynarray-fail \
c6d234
 	 tst-dynarray-at-fail \
c6d234
 	 tst-alloc_buffer \
c6d234
+	 tst-malloc-too-large \
c6d234
 
c6d234
 tests-static := \
c6d234
 	 tst-interpose-static-nothread \
c6d234
Index: b/malloc/malloc.c
c6d234
===================================================================
c6d234
--- a/malloc/malloc.c
c6d234
+++ b/malloc/malloc.c
c6d234
@@ -1273,14 +1273,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-
c6d234
    MINSIZE :                                                      \
c6d234
    ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
c6d234
 
c6d234
-/*  Same, except also perform argument check */
c6d234
-
c6d234
-#define checked_request2size(req, sz)                             \
c6d234
-  if (REQUEST_OUT_OF_RANGE(req)) {                                \
c6d234
-    __set_errno (ENOMEM);					  \
c6d234
-    return 0;                                                     \
c6d234
-  }                                                               \
c6d234
-  (sz) = request2size(req);
c6d234
+/* Same, except also perform an argument and result check.  First, we check
c6d234
+   that the padding done by request2size didn't result in an integer
c6d234
+   overflow.  Then we check (using REQUEST_OUT_OF_RANGE) that the resulting
c6d234
+   size isn't so large that a later alignment would lead to another integer
c6d234
+   overflow.  */
c6d234
+#define checked_request2size(req, sz) \
c6d234
+({				    \
c6d234
+  (sz) = request2size (req);	    \
c6d234
+  if (((sz) < (req))		    \
c6d234
+      || REQUEST_OUT_OF_RANGE (sz)) \
c6d234
+    {				    \
c6d234
+      __set_errno (ENOMEM);	    \
c6d234
+      return 0;			    \
c6d234
+    }				    \
c6d234
+})
c6d234
 
c6d234
 /*
c6d234
   --------------- Physical chunk operations ---------------
c6d234
@@ -4389,6 +4396,13 @@ _int_memalign(mstate av, size_t alignmen
c6d234
   */
c6d234
 
c6d234
 
c6d234
+  /* Check for overflow.  */
c6d234
+  if (nb > SIZE_MAX - alignment - MINSIZE)
c6d234
+    {
c6d234
+      __set_errno (ENOMEM);
c6d234
+      return 0;
c6d234
+    }
c6d234
+
c6d234
   /* Call malloc with worst case padding to hit alignment. */
c6d234
 
c6d234
   m  = (char*)(_int_malloc(av, nb + alignment + MINSIZE));
c6d234
Index: b/malloc/tst-malloc-too-large.c
c6d234
===================================================================
c6d234
--- /dev/null
c6d234
+++ b/malloc/tst-malloc-too-large.c
c6d234
@@ -0,0 +1,237 @@
c6d234
+/* Test and verify that too-large memory allocations fail with ENOMEM.
c6d234
+   Copyright (C) 2018 Free Software Foundation, Inc.
c6d234
+   This file is part of the GNU C Library.
c6d234
+
c6d234
+   The GNU C Library is free software; you can redistribute it and/or
c6d234
+   modify it under the terms of the GNU Lesser General Public
c6d234
+   License as published by the Free Software Foundation; either
c6d234
+   version 2.1 of the License, or (at your option) any later version.
c6d234
+
c6d234
+   The GNU C Library is distributed in the hope that it will be useful,
c6d234
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
c6d234
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
c6d234
+   Lesser General Public License for more details.
c6d234
+
c6d234
+   You should have received a copy of the GNU Lesser General Public
c6d234
+   License along with the GNU C Library; if not, see
c6d234
+   <http://www.gnu.org/licenses/>.  */
c6d234
+
c6d234
+/* Bug 22375 reported a regression in malloc where if after malloc'ing then
c6d234
+   free'ing a small block of memory, malloc is then called with a really
c6d234
+   large size argument (close to SIZE_MAX): instead of returning NULL and
c6d234
+   setting errno to ENOMEM, malloc incorrectly returns the previously
c6d234
+   allocated block instead.  Bug 22343 reported a similar case where
c6d234
+   posix_memalign incorrectly returns successfully when called with an with
c6d234
+   a really large size argument.
c6d234
+
c6d234
+   Both of these were caused by integer overflows in the allocator when it
c6d234
+   was trying to pad the requested size to allow for book-keeping or
c6d234
+   alignment.  This test guards against such bugs by repeatedly allocating
c6d234
+   and freeing small blocks of memory then trying to allocate various block
c6d234
+   sizes larger than the memory bus width of 64-bit targets, or almost
c6d234
+   as large as SIZE_MAX on 32-bit targets supported by glibc.  In each case,
c6d234
+   it verifies that such impossibly large allocations correctly fail.  */
c6d234
+
c6d234
+
c6d234
+#include <stdlib.h>
c6d234
+#include <malloc.h>
c6d234
+#include <errno.h>
c6d234
+#include <stdint.h>
c6d234
+#include <sys/resource.h>
c6d234
+#include <libc-diag.h>
c6d234
+#include <support/check.h>
c6d234
+#include <unistd.h>
c6d234
+#include <sys/param.h>
c6d234
+
c6d234
+
c6d234
+/* This function prepares for each 'too-large memory allocation' test by
c6d234
+   performing a small successful malloc/free and resetting errno prior to
c6d234
+   the actual test.  */
c6d234
+static void
c6d234
+test_setup (void)
c6d234
+{
c6d234
+  void *volatile ptr = malloc (16);
c6d234
+  TEST_VERIFY_EXIT (ptr != NULL);
c6d234
+  free (ptr);
c6d234
+  errno = 0;
c6d234
+}
c6d234
+
c6d234
+
c6d234
+/* This function tests each of:
c6d234
+   - malloc (SIZE)
c6d234
+   - realloc (PTR_FOR_REALLOC, SIZE)
c6d234
+   - for various values of NMEMB:
c6d234
+    - calloc (NMEMB, SIZE/NMEMB)
c6d234
+    - calloc (SIZE/NMEMB, NMEMB)
c6d234
+   and precedes each of these tests with a small malloc/free before it.  */
c6d234
+static void
c6d234
+test_large_allocations (size_t size)
c6d234
+{
c6d234
+  void * ptr_to_realloc;
c6d234
+
c6d234
+  test_setup ();
c6d234
+  TEST_VERIFY (malloc (size) == NULL);
c6d234
+  TEST_VERIFY (errno == ENOMEM);
c6d234
+
c6d234
+  ptr_to_realloc = malloc (16);
c6d234
+  TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
c6d234
+  test_setup ();
c6d234
+  TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL);
c6d234
+  TEST_VERIFY (errno == ENOMEM);
c6d234
+  free (ptr_to_realloc);
c6d234
+
c6d234
+  for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2)
c6d234
+    if ((size % nmemb) == 0)
c6d234
+      {
c6d234
+        test_setup ();
c6d234
+        TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL);
c6d234
+        TEST_VERIFY (errno == ENOMEM);
c6d234
+
c6d234
+        test_setup ();
c6d234
+        TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL);
c6d234
+        TEST_VERIFY (errno == ENOMEM);
c6d234
+      }
c6d234
+    else
c6d234
+      break;
c6d234
+}
c6d234
+
c6d234
+
c6d234
+static long pagesize;
c6d234
+
c6d234
+/* This function tests the following aligned memory allocation functions
c6d234
+   using several valid alignments and precedes each allocation test with a
c6d234
+   small malloc/free before it:
c6d234
+   memalign, posix_memalign, aligned_alloc, valloc, pvalloc.  */
c6d234
+static void
c6d234
+test_large_aligned_allocations (size_t size)
c6d234
+{
c6d234
+  /* ptr stores the result of posix_memalign but since all those calls
c6d234
+     should fail, posix_memalign should never change ptr.  We set it to
c6d234
+     NULL here and later on we check that it remains NULL after each
c6d234
+     posix_memalign call.  */
c6d234
+  void * ptr = NULL;
c6d234
+
c6d234
+  size_t align;
c6d234
+
c6d234
+  /* All aligned memory allocation functions expect an alignment that is a
c6d234
+     power of 2.  Given this, we test each of them with every valid
c6d234
+     alignment from 1 thru PAGESIZE.  */
c6d234
+  for (align = 1; align <= pagesize; align *= 2)
c6d234
+    {
c6d234
+      test_setup ();
c6d234
+      TEST_VERIFY (memalign (align, size) == NULL);
c6d234
+      TEST_VERIFY (errno == ENOMEM);
c6d234
+
c6d234
+      /* posix_memalign expects an alignment that is a power of 2 *and* a
c6d234
+         multiple of sizeof (void *).  */
c6d234
+      if ((align % sizeof (void *)) == 0)
c6d234
+        {
c6d234
+          test_setup ();
c6d234
+          TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM);
c6d234
+          TEST_VERIFY (ptr == NULL);
c6d234
+        }
c6d234
+
c6d234
+      /* aligned_alloc expects a size that is a multiple of alignment.  */
c6d234
+      if ((size % align) == 0)
c6d234
+        {
c6d234
+          test_setup ();
c6d234
+          TEST_VERIFY (aligned_alloc (align, size) == NULL);
c6d234
+          TEST_VERIFY (errno == ENOMEM);
c6d234
+        }
c6d234
+    }
c6d234
+
c6d234
+  /* Both valloc and pvalloc return page-aligned memory.  */
c6d234
+
c6d234
+  test_setup ();
c6d234
+  TEST_VERIFY (valloc (size) == NULL);
c6d234
+  TEST_VERIFY (errno == ENOMEM);
c6d234
+
c6d234
+  test_setup ();
c6d234
+  TEST_VERIFY (pvalloc (size) == NULL);
c6d234
+  TEST_VERIFY (errno == ENOMEM);
c6d234
+}
c6d234
+
c6d234
+
c6d234
+#define FOURTEEN_ON_BITS ((1UL << 14) - 1)
c6d234
+#define FIFTY_ON_BITS ((1UL << 50) - 1)
c6d234
+
c6d234
+
c6d234
+static int
c6d234
+do_test (void)
c6d234
+{
c6d234
+
c6d234
+#if __WORDSIZE >= 64
c6d234
+
c6d234
+  /* This test assumes that none of the supported targets have an address
c6d234
+     bus wider than 50 bits, and that therefore allocations for sizes wider
c6d234
+     than 50 bits will fail.  Here, we ensure that the assumption continues
c6d234
+     to be true in the future when we might have address buses wider than 50
c6d234
+     bits.  */
c6d234
+
c6d234
+  struct rlimit alloc_size_limit
c6d234
+    = {
c6d234
+        .rlim_cur = FIFTY_ON_BITS,
c6d234
+        .rlim_max = FIFTY_ON_BITS
c6d234
+      };
c6d234
+
c6d234
+  setrlimit (RLIMIT_AS, &alloc_size_limit);
c6d234
+
c6d234
+#endif /* __WORDSIZE >= 64 */
c6d234
+
c6d234
+  DIAG_PUSH_NEEDS_COMMENT;
c6d234
+#if __GNUC_PREREQ (7, 0)
c6d234
+  /* GCC 7 warns about too-large allocations; here we want to test
c6d234
+     that they fail.  */
c6d234
+  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
c6d234
+#endif
c6d234
+
c6d234
+  /* Aligned memory allocation functions need to be tested up to alignment
c6d234
+     size equivalent to page size, which should be a power of 2.  */
c6d234
+  pagesize = sysconf (_SC_PAGESIZE);
c6d234
+  TEST_VERIFY_EXIT (powerof2 (pagesize));
c6d234
+
c6d234
+  /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
c6d234
+     in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
c6d234
+
c6d234
+     We can expect that this range of allocation sizes will always lead to
c6d234
+     an allocation failure on both 64 and 32 bit targets, because:
c6d234
+
c6d234
+     1. no currently supported 64-bit target has an address bus wider than
c6d234
+     50 bits -- and (2^64 - 2^14) is much wider than that;
c6d234
+
c6d234
+     2. on 32-bit targets, even though 2^32 is only 4 GB and potentially
c6d234
+     addressable, glibc itself is more than 2^14 bytes in size, and
c6d234
+     therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain
c6d234
+     available.  */
c6d234
+
c6d234
+  for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++)
c6d234
+    {
c6d234
+      test_large_allocations (SIZE_MAX - i);
c6d234
+      test_large_aligned_allocations (SIZE_MAX - i);
c6d234
+    }
c6d234
+
c6d234
+#if __WORDSIZE >= 64
c6d234
+  /* On 64-bit targets, we need to test a much wider range of too-large
c6d234
+     sizes, so we test at intervals of (1 << 50) that allocation sizes
c6d234
+     ranging from SIZE_MAX down to (1 << 50) fail:
c6d234
+     The 14 MSBs are decremented starting from "all ON" going down to 1,
c6d234
+     the 50 LSBs are "all ON" and then "all OFF" during every iteration.  */
c6d234
+  for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--)
c6d234
+    {
c6d234
+      size_t size = (msbs << 50) | FIFTY_ON_BITS;
c6d234
+      test_large_allocations (size);
c6d234
+      test_large_aligned_allocations (size);
c6d234
+
c6d234
+      size = msbs << 50;
c6d234
+      test_large_allocations (size);
c6d234
+      test_large_aligned_allocations (size);
c6d234
+    }
c6d234
+#endif /* __WORDSIZE >= 64 */
c6d234
+
c6d234
+  DIAG_POP_NEEDS_COMMENT;
c6d234
+
c6d234
+  return 0;
c6d234
+}
c6d234
+
c6d234
+
c6d234
+#include <support/test-driver.c>