public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug malloc/22057] malloc_usable_size is broken with mcheck
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
@ 2021-07-12 12:53 ` siddhesh at sourceware dot org
2021-07-12 18:03 ` hjl.tools at gmail dot com
` (4 subsequent siblings)
5 siblings, 0 replies; 6+ messages in thread
From: siddhesh at sourceware dot org @ 2021-07-12 12:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
CC| |siddhesh at sourceware dot org
Assignee|unassigned at sourceware dot org |siddhesh at sourceware dot org
Summary|mcheck does not set the |malloc_usable_size is
|using_malloc_checking flag, |broken with mcheck
|so malloc_usable_size |
|returns an invalid size |
Ever confirmed|0 |1
Last reconfirmed| |2021-07-12
--- Comment #1 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
(In reply to mo from comment #0)
> The using_malloc_checking flag is only set in the __malloc_check_init
> function,
> which is called when enabling the additional security check via the
> environment variable MALLOC_CHECK_.
mcheck and MALLOC_CHECK_ are distinct features; using_malloc_checking flag is
only for MALLOC_CHECK_ and makes no difference to mcheck...
> When someone calls malloc_usable_size now, ultimately musable will check if
> using_malloc_checking is set and call the special malloc_check_get_size
> function.
> Because the bit isn't set malloc_usable_size will return the value at the
> normal size location which is the hdr->magic2 field now, which is set to
> this:
>
> hdr->magic2 = (uintptr_t) hdr ^ MAGICWORD;
>
> While this will be rarely used apart from debugging, this could still have
> some security implications as the value is most likely bigger than the
> actual size and
> if used for some bounds checking could lead to an overflow.
... however you're right in that this is a bug in mcheck. In needs to override
malloc_usable_size like malloc_check does and provide its own result for size.
I'll fix this after the malloc hooks have been removed and mcheck moved out
into a separate debug library.
Sample program:
#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
int
main (int argc, char **argv)
{
size_t sz = 32;
if (argc > 1)
sz = strtoul (argv[2], NULL, 0);
printf ("sz: %zu, usable: %zu\n", sz, malloc_usable_size (malloc (sz)));
}
Expected result:
sz: 32, usable: 40 /* usable should be a valid value >= sz */
Actual result:
sz: 32, usable: 4241992728 /* which is actually magic2 as OP pointed out */
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug malloc/22057] malloc_usable_size is broken with mcheck
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
2021-07-12 12:53 ` [Bug malloc/22057] malloc_usable_size is broken with mcheck siddhesh at sourceware dot org
@ 2021-07-12 18:03 ` hjl.tools at gmail dot com
2021-07-13 1:14 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 6+ messages in thread
From: hjl.tools at gmail dot com @ 2021-07-12 18:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
H.J. Lu <hjl.tools at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hjl.tools at gmail dot com
Blocks| |28068
Referenced Bugs:
https://sourceware.org/bugzilla/show_bug.cgi?id=28068
[Bug 28068] FAIL: malloc/tst-mallocalign1-mcheck
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug malloc/22057] malloc_usable_size is broken with mcheck
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
2021-07-12 12:53 ` [Bug malloc/22057] malloc_usable_size is broken with mcheck siddhesh at sourceware dot org
2021-07-12 18:03 ` hjl.tools at gmail dot com
@ 2021-07-13 1:14 ` cvs-commit at gcc dot gnu.org
2021-07-22 13:17 ` siddhesh at sourceware dot org
` (2 subsequent siblings)
5 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-07-13 1:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by H.J. Lu <hjl@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=84ea6ea24bd5bef674ce16a2832dbbe4d514e6d9
commit 84ea6ea24bd5bef674ce16a2832dbbe4d514e6d9
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jul 12 14:36:39 2021 -0700
mcheck: Align struct hdr to MALLOC_ALIGNMENT bytes [BZ #28068]
1. Align struct hdr to MALLOC_ALIGNMENT bytes so that malloc hooks in
libmcheck align memory to MALLOC_ALIGNMENT bytes.
2. Remove tst-mallocalign1 from tests-exclude-mcheck for i386 and x32.
3. Add tst-pvalloc-fortify and tst-reallocarray to tests-exclude-mcheck
since they use malloc_usable_size (see BZ #22057).
This fixed BZ #28068.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug malloc/22057] malloc_usable_size is broken with mcheck
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2021-07-13 1:14 ` cvs-commit at gcc dot gnu.org
@ 2021-07-22 13:17 ` siddhesh at sourceware dot org
2021-10-27 21:12 ` schwab@linux-m68k.org
2021-10-29 3:19 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 6+ messages in thread
From: siddhesh at sourceware dot org @ 2021-07-22 13:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |2.34
Status|ASSIGNED |RESOLVED
--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Thu Jul 22 18:38:16 2021 +0530
mcheck Fix malloc_usable_size [BZ #22057]
Interpose malloc_usable_size to return the correct mcheck value for
malloc_usable_size.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug malloc/22057] malloc_usable_size is broken with mcheck
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2021-07-22 13:17 ` siddhesh at sourceware dot org
@ 2021-10-27 21:12 ` schwab@linux-m68k.org
2021-10-29 3:19 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 6+ messages in thread
From: schwab@linux-m68k.org @ 2021-10-27 21:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |28506
Referenced Bugs:
https://sourceware.org/bugzilla/show_bug.cgi?id=28506
[Bug 28506] malloc-check + malloc_usable_size(NULL) causes segfault
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug malloc/22057] malloc_usable_size is broken with mcheck
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2021-10-27 21:12 ` schwab@linux-m68k.org
@ 2021-10-29 3:19 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 6+ messages in thread
From: siddhesh at sourceware dot org @ 2021-10-29 3:19 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=22057
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on|28506 |
Referenced Bugs:
https://sourceware.org/bugzilla/show_bug.cgi?id=28506
[Bug 28506] malloc-check + malloc_usable_size(NULL) causes segfault
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-10-29 3:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-22057-131@http.sourceware.org/bugzilla/>
2021-07-12 12:53 ` [Bug malloc/22057] malloc_usable_size is broken with mcheck siddhesh at sourceware dot org
2021-07-12 18:03 ` hjl.tools at gmail dot com
2021-07-13 1:14 ` cvs-commit at gcc dot gnu.org
2021-07-22 13:17 ` siddhesh at sourceware dot org
2021-10-27 21:12 ` schwab@linux-m68k.org
2021-10-29 3:19 ` siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).