public inbox for cygwin-cvs@sourceware.org help / color / mirror / Atom feed
From: Corinna Vinschen <corinna@sourceware.org> To: cygwin-cvs@sourceware.org, newlib-cvs@sourceware.org Subject: [newlib-cygwin] malloc/nano-malloc: correctly check for out-of-bounds allocation reqs Date: Tue, 17 Nov 2020 19:57:56 +0000 (GMT) [thread overview] Message-ID: <20201117195756.74CC43858002@sourceware.org> (raw) https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e commit aa106b29a6a8a1b0df9e334704292cbc32f2d44e Author: Corinna Vinschen <vinschen@redhat.com> Date: Tue Nov 17 10:50:57 2020 +0100 malloc/nano-malloc: correctly check for out-of-bounds allocation reqs The overflow check in mEMALIGn erroneously checks for INT_MAX, albeit the input parameter is size_t. Fix this to check for __SIZE_MAX__ instead. Also, it misses to check the req against adding the alignment before calling mALLOc. While at it, add out-of-bounds checks to pvALLOc, nano_memalign, nano_valloc, and Cygwin's (unused) dlpvalloc. Signed-off-by: Corinna Vinschen <corinna@vinschen.de> Diff: --- newlib/libc/stdlib/mallocr.c | 7 ++++++- newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++- winsup/cygwin/malloc.cc | 4 ++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c index 9ad720ada..13d014cc8 100644 --- a/newlib/libc/stdlib/mallocr.c +++ b/newlib/libc/stdlib/mallocr.c @@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes; nb = request2size(bytes); /* Check for overflow. */ - if (nb > INT_MAX || nb < bytes) + if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes) { RERRNO = ENOMEM; return 0; @@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes; #endif { size_t pagesize = malloc_getpagesize; + if (bytes > __SIZE_MAX__ - pagesize) + { + RERRNO = ENOMEM; + return 0; + } return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1)); } diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c index 6dbfba84b..1e0703948 100644 --- a/newlib/libc/stdlib/nano-mallocr.c +++ b/newlib/libc/stdlib/nano-mallocr.c @@ -580,8 +580,22 @@ void * nano_memalign(RARG size_t align, size_t s) if ((align & (align-1)) != 0) return NULL; align = MAX(align, MALLOC_ALIGN); + + /* Make sure ma_size does not overflow */ + if (s > __SIZE_MAX__ - CHUNK_ALIGN) + { + RERRNO = ENOMEM; + return NULL; + } ma_size = ALIGN_SIZE(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN); - size_with_padding = ma_size + align - MALLOC_ALIGN; + + /* Make sure size_with_padding does not overflow */ + if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN)) + { + RERRNO = ENOMEM; + return NULL; + } + size_with_padding = ma_size + (align - MALLOC_ALIGN); allocated = nano_malloc(RCALL size_with_padding); if (allocated == NULL) return NULL; @@ -644,6 +658,12 @@ void * nano_valloc(RARG size_t s) #ifdef DEFINE_PVALLOC void * nano_pvalloc(RARG size_t s) { + /* Make sure size given to nano_valloc does not overflow */ + if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN) + { + RERRNO = ENOMEM; + return NULL; + } return nano_valloc(RCALL ALIGN_SIZE(s, MALLOC_PAGE_ALIGN)); } #endif /* DEFINE_PVALLOC */ diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc index 23c354074..8a1fc257e 100644 --- a/winsup/cygwin/malloc.cc +++ b/winsup/cygwin/malloc.cc @@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) { size_t pagesz; ensure_initialization(); pagesz = mparams.page_size; + if (bytes > MAX_REQUEST) { + MALLOC_FAILURE_ACTION; + return NULL; + } return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE)); }
reply other threads:[~2020-11-17 19:57 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20201117195756.74CC43858002@sourceware.org \ --to=corinna@sourceware.org \ --cc=cygwin-cvs@sourceware.org \ --cc=newlib-cvs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).