|
 |
a1b1ec |
From 5eea79eaf426ac3e51a09d3f3fe72c2b385abc89 Mon Sep 17 00:00:00 2001
|
|
|
a1b1ec |
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
|
a1b1ec |
Date: Tue, 10 Nov 2020 11:16:00 +0100
|
|
|
a1b1ec |
Subject: [PATCH] Fix memory allocation
|
|
|
a1b1ec |
|
|
|
a1b1ec |
We can't assume that size of a structure is a sum of sizes of its
|
|
|
a1b1ec |
members because padding and alignment can be involved. In fact,
|
|
|
a1b1ec |
we need to allocate more bytes for the structure than the
|
|
|
a1b1ec |
sum of sizes of its members.
|
|
|
a1b1ec |
|
|
|
a1b1ec |
The wrong assumption caused invalid writes and invalid reads
|
|
|
a1b1ec |
which can be discovered by valgrind. Moreover, when run with
|
|
|
a1b1ec |
MALLOC_CHECK_ environment variable set to non-zero value, the
|
|
|
a1b1ec |
program aborted.
|
|
|
a1b1ec |
|
|
|
a1b1ec |
The memory issue happened only when NDEBUG is defined, eg. when cmake
|
|
|
a1b1ec |
-DCMAKE_BUILD_TYPE=RelWithDebInfo or Release, it doesn't happen if cmake
|
|
|
a1b1ec |
-DCMAKE_BUILD_TYPE=Debug which we usually use in Jenkins CI. This is
|
|
|
a1b1ec |
most likely because in debug mode the struct SEXP contains 2 additional
|
|
|
a1b1ec |
members which are the magic canaries and therefore is bigger.
|
|
|
a1b1ec |
|
|
|
a1b1ec |
This commit wants to fix the problem by 2 step allocation in which
|
|
|
a1b1ec |
first the size of the struct SEXP_val_lblk is used and then the
|
|
|
a1b1ec |
array of SEXPs is allocated separately.
|
|
|
a1b1ec |
|
|
|
a1b1ec |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1891770
|
|
|
a1b1ec |
---
|
|
|
a1b1ec |
src/OVAL/probes/SEAP/_sexp-value.h | 2 +-
|
|
|
a1b1ec |
src/OVAL/probes/SEAP/sexp-value.c | 12 ++++++------
|
|
|
a1b1ec |
2 files changed, 7 insertions(+), 7 deletions(-)
|
|
|
a1b1ec |
|
|
|
a1b1ec |
diff --git a/src/OVAL/probes/SEAP/_sexp-value.h b/src/OVAL/probes/SEAP/_sexp-value.h
|
|
|
a1b1ec |
index 426cd2c3d..e66777ef9 100644
|
|
|
a1b1ec |
--- a/src/OVAL/probes/SEAP/_sexp-value.h
|
|
|
a1b1ec |
+++ b/src/OVAL/probes/SEAP/_sexp-value.h
|
|
|
a1b1ec |
@@ -94,7 +94,7 @@ struct SEXP_val_lblk {
|
|
|
a1b1ec |
uintptr_t nxsz;
|
|
|
a1b1ec |
uint16_t real;
|
|
|
a1b1ec |
uint16_t refs;
|
|
|
a1b1ec |
- SEXP_t memb[];
|
|
|
a1b1ec |
+ SEXP_t *memb;
|
|
|
a1b1ec |
};
|
|
|
a1b1ec |
|
|
|
a1b1ec |
size_t SEXP_rawval_list_length (struct SEXP_val_list *list);
|
|
|
a1b1ec |
diff --git a/src/OVAL/probes/SEAP/sexp-value.c b/src/OVAL/probes/SEAP/sexp-value.c
|
|
|
a1b1ec |
index a11cbc70c..b8b3ed609 100644
|
|
|
a1b1ec |
--- a/src/OVAL/probes/SEAP/sexp-value.c
|
|
|
a1b1ec |
+++ b/src/OVAL/probes/SEAP/sexp-value.c
|
|
|
a1b1ec |
@@ -106,10 +106,8 @@ uintptr_t SEXP_rawval_lblk_new (uint8_t sz)
|
|
|
a1b1ec |
{
|
|
|
a1b1ec |
_A(sz < 16);
|
|
|
a1b1ec |
|
|
|
a1b1ec |
- struct SEXP_val_lblk *lblk = oscap_aligned_malloc(
|
|
|
a1b1ec |
- sizeof(uintptr_t) + (2 * sizeof(uint16_t)) + (sizeof(SEXP_t) * (1 << sz)),
|
|
|
a1b1ec |
- SEXP_LBLK_ALIGN
|
|
|
a1b1ec |
- );
|
|
|
a1b1ec |
+ struct SEXP_val_lblk *lblk = malloc(sizeof(struct SEXP_val_lblk));
|
|
|
a1b1ec |
+ lblk->memb = malloc(sizeof(SEXP_t) * (1 << sz));
|
|
|
a1b1ec |
|
|
|
a1b1ec |
lblk->nxsz = ((uintptr_t)(NULL) & SEXP_LBLKP_MASK) | ((uintptr_t)sz & SEXP_LBLKS_MASK);
|
|
|
a1b1ec |
lblk->refs = 1;
|
|
|
a1b1ec |
@@ -519,7 +517,8 @@ void SEXP_rawval_lblk_free (uintptr_t lblkp, void (*func) (SEXP_t *))
|
|
|
a1b1ec |
func (lblk->memb + lblk->real);
|
|
|
a1b1ec |
}
|
|
|
a1b1ec |
|
|
|
a1b1ec |
- oscap_aligned_free(lblk);
|
|
|
a1b1ec |
+ free(lblk->memb);
|
|
|
a1b1ec |
+ free(lblk);
|
|
|
a1b1ec |
|
|
|
a1b1ec |
if (next != NULL)
|
|
|
a1b1ec |
SEXP_rawval_lblk_free ((uintptr_t)next, func);
|
|
|
a1b1ec |
@@ -540,7 +539,8 @@ void SEXP_rawval_lblk_free1 (uintptr_t lblkp, void (*func) (SEXP_t *))
|
|
|
a1b1ec |
func (lblk->memb + lblk->real);
|
|
|
a1b1ec |
}
|
|
|
a1b1ec |
|
|
|
a1b1ec |
- oscap_aligned_free(lblk);
|
|
|
a1b1ec |
+ free(lblk->memb);
|
|
|
a1b1ec |
+ free(lblk);
|
|
|
a1b1ec |
}
|
|
|
a1b1ec |
|
|
|
a1b1ec |
return;
|
|
|
a1b1ec |
--
|
|
|
a1b1ec |
2.26.2
|
|
|
a1b1ec |
|