|
|
c6d234 |
The upstream patch is backported by excluding tests for reallocarray because
|
|
|
c6d234 |
this function is not present in RHEL-7.
|
|
|
c6d234 |
|
|
|
c6d234 |
commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22
|
|
|
c6d234 |
Author: Arjun Shankar <arjun.is@lostca.se>
|
|
|
c6d234 |
Date: Thu Jan 18 16:47:06 2018 +0000
|
|
|
c6d234 |
|
|
|
c6d234 |
Fix integer overflows in internal memalign and malloc functions [BZ #22343]
|
|
|
c6d234 |
|
|
|
c6d234 |
When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
|
|
|
c6d234 |
and a requested size close to SIZE_MAX, it falls back to malloc code
|
|
|
c6d234 |
(because the alignment of a block returned by malloc is sufficient to
|
|
|
c6d234 |
satisfy the call). In this case, an integer overflow in _int_malloc leads
|
|
|
c6d234 |
to posix_memalign incorrectly returning successfully.
|
|
|
c6d234 |
|
|
|
c6d234 |
Upon fixing this and writing a somewhat thorough regression test, it was
|
|
|
c6d234 |
discovered that when posix_memalign is called with an alignment larger than
|
|
|
c6d234 |
MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
|
|
|
c6d234 |
close to SIZE_MAX, a different integer overflow in _int_memalign leads to
|
|
|
c6d234 |
posix_memalign incorrectly returning successfully.
|
|
|
c6d234 |
|
|
|
c6d234 |
Both integer overflows affect other memory allocation functions that use
|
|
|
c6d234 |
_int_malloc (one affected malloc in x86) or _int_memalign as well.
|
|
|
c6d234 |
|
|
|
c6d234 |
This commit fixes both integer overflows. In addition to this, it adds a
|
|
|
c6d234 |
regression test to guard against false successful allocations by the
|
|
|
c6d234 |
following memory allocation functions when called with too-large allocation
|
|
|
c6d234 |
sizes and, where relevant, various valid alignments:
|
|
|
c6d234 |
malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
|
|
|
c6d234 |
aligned_alloc, valloc, and pvalloc.
|
|
|
c6d234 |
|
|
|
c6d234 |
Index: b/malloc/Makefile
|
|
|
c6d234 |
===================================================================
|
|
|
c6d234 |
--- a/malloc/Makefile
|
|
|
c6d234 |
+++ b/malloc/Makefile
|
|
|
c6d234 |
@@ -38,6 +38,7 @@ tests := mallocbug tst-malloc tst-valloc
|
|
|
c6d234 |
tst-dynarray-fail \
|
|
|
c6d234 |
tst-dynarray-at-fail \
|
|
|
c6d234 |
tst-alloc_buffer \
|
|
|
c6d234 |
+ tst-malloc-too-large \
|
|
|
c6d234 |
|
|
|
c6d234 |
tests-static := \
|
|
|
c6d234 |
tst-interpose-static-nothread \
|
|
|
c6d234 |
Index: b/malloc/malloc.c
|
|
|
c6d234 |
===================================================================
|
|
|
c6d234 |
--- a/malloc/malloc.c
|
|
|
c6d234 |
+++ b/malloc/malloc.c
|
|
|
c6d234 |
@@ -1273,14 +1273,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-
|
|
|
c6d234 |
MINSIZE : \
|
|
|
c6d234 |
((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
|
|
|
c6d234 |
|
|
|
c6d234 |
-/* Same, except also perform argument check */
|
|
|
c6d234 |
-
|
|
|
c6d234 |
-#define checked_request2size(req, sz) \
|
|
|
c6d234 |
- if (REQUEST_OUT_OF_RANGE(req)) { \
|
|
|
c6d234 |
- __set_errno (ENOMEM); \
|
|
|
c6d234 |
- return 0; \
|
|
|
c6d234 |
- } \
|
|
|
c6d234 |
- (sz) = request2size(req);
|
|
|
c6d234 |
+/* Same, except also perform an argument and result check. First, we check
|
|
|
c6d234 |
+ that the padding done by request2size didn't result in an integer
|
|
|
c6d234 |
+ overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting
|
|
|
c6d234 |
+ size isn't so large that a later alignment would lead to another integer
|
|
|
c6d234 |
+ overflow. */
|
|
|
c6d234 |
+#define checked_request2size(req, sz) \
|
|
|
c6d234 |
+({ \
|
|
|
c6d234 |
+ (sz) = request2size (req); \
|
|
|
c6d234 |
+ if (((sz) < (req)) \
|
|
|
c6d234 |
+ || REQUEST_OUT_OF_RANGE (sz)) \
|
|
|
c6d234 |
+ { \
|
|
|
c6d234 |
+ __set_errno (ENOMEM); \
|
|
|
c6d234 |
+ return 0; \
|
|
|
c6d234 |
+ } \
|
|
|
c6d234 |
+})
|
|
|
c6d234 |
|
|
|
c6d234 |
/*
|
|
|
c6d234 |
--------------- Physical chunk operations ---------------
|
|
|
c6d234 |
@@ -4389,6 +4396,13 @@ _int_memalign(mstate av, size_t alignmen
|
|
|
c6d234 |
*/
|
|
|
c6d234 |
|
|
|
c6d234 |
|
|
|
c6d234 |
+ /* Check for overflow. */
|
|
|
c6d234 |
+ if (nb > SIZE_MAX - alignment - MINSIZE)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ __set_errno (ENOMEM);
|
|
|
c6d234 |
+ return 0;
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+
|
|
|
c6d234 |
/* Call malloc with worst case padding to hit alignment. */
|
|
|
c6d234 |
|
|
|
c6d234 |
m = (char*)(_int_malloc(av, nb + alignment + MINSIZE));
|
|
|
c6d234 |
Index: b/malloc/tst-malloc-too-large.c
|
|
|
c6d234 |
===================================================================
|
|
|
c6d234 |
--- /dev/null
|
|
|
c6d234 |
+++ b/malloc/tst-malloc-too-large.c
|
|
|
c6d234 |
@@ -0,0 +1,237 @@
|
|
|
c6d234 |
+/* Test and verify that too-large memory allocations fail with ENOMEM.
|
|
|
c6d234 |
+ Copyright (C) 2018 Free Software Foundation, Inc.
|
|
|
c6d234 |
+ This file is part of the GNU C Library.
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
c6d234 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
c6d234 |
+ License as published by the Free Software Foundation; either
|
|
|
c6d234 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
c6d234 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
c6d234 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
c6d234 |
+ Lesser General Public License for more details.
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
c6d234 |
+ License along with the GNU C Library; if not, see
|
|
|
c6d234 |
+ <http://www.gnu.org/licenses/>. */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+/* Bug 22375 reported a regression in malloc where if after malloc'ing then
|
|
|
c6d234 |
+ free'ing a small block of memory, malloc is then called with a really
|
|
|
c6d234 |
+ large size argument (close to SIZE_MAX): instead of returning NULL and
|
|
|
c6d234 |
+ setting errno to ENOMEM, malloc incorrectly returns the previously
|
|
|
c6d234 |
+ allocated block instead. Bug 22343 reported a similar case where
|
|
|
c6d234 |
+ posix_memalign incorrectly returns successfully when called with an with
|
|
|
c6d234 |
+ a really large size argument.
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ Both of these were caused by integer overflows in the allocator when it
|
|
|
c6d234 |
+ was trying to pad the requested size to allow for book-keeping or
|
|
|
c6d234 |
+ alignment. This test guards against such bugs by repeatedly allocating
|
|
|
c6d234 |
+ and freeing small blocks of memory then trying to allocate various block
|
|
|
c6d234 |
+ sizes larger than the memory bus width of 64-bit targets, or almost
|
|
|
c6d234 |
+ as large as SIZE_MAX on 32-bit targets supported by glibc. In each case,
|
|
|
c6d234 |
+ it verifies that such impossibly large allocations correctly fail. */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+#include <stdlib.h>
|
|
|
c6d234 |
+#include <malloc.h>
|
|
|
c6d234 |
+#include <errno.h>
|
|
|
c6d234 |
+#include <stdint.h>
|
|
|
c6d234 |
+#include <sys/resource.h>
|
|
|
c6d234 |
+#include <libc-diag.h>
|
|
|
c6d234 |
+#include <support/check.h>
|
|
|
c6d234 |
+#include <unistd.h>
|
|
|
c6d234 |
+#include <sys/param.h>
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+/* This function prepares for each 'too-large memory allocation' test by
|
|
|
c6d234 |
+ performing a small successful malloc/free and resetting errno prior to
|
|
|
c6d234 |
+ the actual test. */
|
|
|
c6d234 |
+static void
|
|
|
c6d234 |
+test_setup (void)
|
|
|
c6d234 |
+{
|
|
|
c6d234 |
+ void *volatile ptr = malloc (16);
|
|
|
c6d234 |
+ TEST_VERIFY_EXIT (ptr != NULL);
|
|
|
c6d234 |
+ free (ptr);
|
|
|
c6d234 |
+ errno = 0;
|
|
|
c6d234 |
+}
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+/* This function tests each of:
|
|
|
c6d234 |
+ - malloc (SIZE)
|
|
|
c6d234 |
+ - realloc (PTR_FOR_REALLOC, SIZE)
|
|
|
c6d234 |
+ - for various values of NMEMB:
|
|
|
c6d234 |
+ - calloc (NMEMB, SIZE/NMEMB)
|
|
|
c6d234 |
+ - calloc (SIZE/NMEMB, NMEMB)
|
|
|
c6d234 |
+ and precedes each of these tests with a small malloc/free before it. */
|
|
|
c6d234 |
+static void
|
|
|
c6d234 |
+test_large_allocations (size_t size)
|
|
|
c6d234 |
+{
|
|
|
c6d234 |
+ void * ptr_to_realloc;
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (malloc (size) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ ptr_to_realloc = malloc (16);
|
|
|
c6d234 |
+ TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+ free (ptr_to_realloc);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ for (size_t nmemb = 1; nmemb <= 8; nmemb *= 2)
|
|
|
c6d234 |
+ if ((size % nmemb) == 0)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+ else
|
|
|
c6d234 |
+ break;
|
|
|
c6d234 |
+}
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+static long pagesize;
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+/* This function tests the following aligned memory allocation functions
|
|
|
c6d234 |
+ using several valid alignments and precedes each allocation test with a
|
|
|
c6d234 |
+ small malloc/free before it:
|
|
|
c6d234 |
+ memalign, posix_memalign, aligned_alloc, valloc, pvalloc. */
|
|
|
c6d234 |
+static void
|
|
|
c6d234 |
+test_large_aligned_allocations (size_t size)
|
|
|
c6d234 |
+{
|
|
|
c6d234 |
+ /* ptr stores the result of posix_memalign but since all those calls
|
|
|
c6d234 |
+ should fail, posix_memalign should never change ptr. We set it to
|
|
|
c6d234 |
+ NULL here and later on we check that it remains NULL after each
|
|
|
c6d234 |
+ posix_memalign call. */
|
|
|
c6d234 |
+ void * ptr = NULL;
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ size_t align;
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* All aligned memory allocation functions expect an alignment that is a
|
|
|
c6d234 |
+ power of 2. Given this, we test each of them with every valid
|
|
|
c6d234 |
+ alignment from 1 thru PAGESIZE. */
|
|
|
c6d234 |
+ for (align = 1; align <= pagesize; align *= 2)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (memalign (align, size) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* posix_memalign expects an alignment that is a power of 2 *and* a
|
|
|
c6d234 |
+ multiple of sizeof (void *). */
|
|
|
c6d234 |
+ if ((align % sizeof (void *)) == 0)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM);
|
|
|
c6d234 |
+ TEST_VERIFY (ptr == NULL);
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* aligned_alloc expects a size that is a multiple of alignment. */
|
|
|
c6d234 |
+ if ((size % align) == 0)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (aligned_alloc (align, size) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* Both valloc and pvalloc return page-aligned memory. */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (valloc (size) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ test_setup ();
|
|
|
c6d234 |
+ TEST_VERIFY (pvalloc (size) == NULL);
|
|
|
c6d234 |
+ TEST_VERIFY (errno == ENOMEM);
|
|
|
c6d234 |
+}
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+#define FOURTEEN_ON_BITS ((1UL << 14) - 1)
|
|
|
c6d234 |
+#define FIFTY_ON_BITS ((1UL << 50) - 1)
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+static int
|
|
|
c6d234 |
+do_test (void)
|
|
|
c6d234 |
+{
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+#if __WORDSIZE >= 64
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* This test assumes that none of the supported targets have an address
|
|
|
c6d234 |
+ bus wider than 50 bits, and that therefore allocations for sizes wider
|
|
|
c6d234 |
+ than 50 bits will fail. Here, we ensure that the assumption continues
|
|
|
c6d234 |
+ to be true in the future when we might have address buses wider than 50
|
|
|
c6d234 |
+ bits. */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ struct rlimit alloc_size_limit
|
|
|
c6d234 |
+ = {
|
|
|
c6d234 |
+ .rlim_cur = FIFTY_ON_BITS,
|
|
|
c6d234 |
+ .rlim_max = FIFTY_ON_BITS
|
|
|
c6d234 |
+ };
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ setrlimit (RLIMIT_AS, &alloc_size_limit);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+#endif /* __WORDSIZE >= 64 */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ DIAG_PUSH_NEEDS_COMMENT;
|
|
|
c6d234 |
+#if __GNUC_PREREQ (7, 0)
|
|
|
c6d234 |
+ /* GCC 7 warns about too-large allocations; here we want to test
|
|
|
c6d234 |
+ that they fail. */
|
|
|
c6d234 |
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
|
|
|
c6d234 |
+#endif
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* Aligned memory allocation functions need to be tested up to alignment
|
|
|
c6d234 |
+ size equivalent to page size, which should be a power of 2. */
|
|
|
c6d234 |
+ pagesize = sysconf (_SC_PAGESIZE);
|
|
|
c6d234 |
+ TEST_VERIFY_EXIT (powerof2 (pagesize));
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
|
|
|
c6d234 |
+ in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ We can expect that this range of allocation sizes will always lead to
|
|
|
c6d234 |
+ an allocation failure on both 64 and 32 bit targets, because:
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ 1. no currently supported 64-bit target has an address bus wider than
|
|
|
c6d234 |
+ 50 bits -- and (2^64 - 2^14) is much wider than that;
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ 2. on 32-bit targets, even though 2^32 is only 4 GB and potentially
|
|
|
c6d234 |
+ addressable, glibc itself is more than 2^14 bytes in size, and
|
|
|
c6d234 |
+ therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain
|
|
|
c6d234 |
+ available. */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ test_large_allocations (SIZE_MAX - i);
|
|
|
c6d234 |
+ test_large_aligned_allocations (SIZE_MAX - i);
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+#if __WORDSIZE >= 64
|
|
|
c6d234 |
+ /* On 64-bit targets, we need to test a much wider range of too-large
|
|
|
c6d234 |
+ sizes, so we test at intervals of (1 << 50) that allocation sizes
|
|
|
c6d234 |
+ ranging from SIZE_MAX down to (1 << 50) fail:
|
|
|
c6d234 |
+ The 14 MSBs are decremented starting from "all ON" going down to 1,
|
|
|
c6d234 |
+ the 50 LSBs are "all ON" and then "all OFF" during every iteration. */
|
|
|
c6d234 |
+ for (size_t msbs = FOURTEEN_ON_BITS; msbs >= 1; msbs--)
|
|
|
c6d234 |
+ {
|
|
|
c6d234 |
+ size_t size = (msbs << 50) | FIFTY_ON_BITS;
|
|
|
c6d234 |
+ test_large_allocations (size);
|
|
|
c6d234 |
+ test_large_aligned_allocations (size);
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ size = msbs << 50;
|
|
|
c6d234 |
+ test_large_allocations (size);
|
|
|
c6d234 |
+ test_large_aligned_allocations (size);
|
|
|
c6d234 |
+ }
|
|
|
c6d234 |
+#endif /* __WORDSIZE >= 64 */
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ DIAG_POP_NEEDS_COMMENT;
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+ return 0;
|
|
|
c6d234 |
+}
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+
|
|
|
c6d234 |
+#include <support/test-driver.c>
|