public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug malloc/22057] malloc_usable_size is broken with mcheck Date: Mon, 12 Jul 2021 12:53:19 +0000 [thread overview] Message-ID: <bug-22057-131-fJa5Knnv8r@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-22057-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=22057 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |ASSIGNED CC| |siddhesh at sourceware dot org Assignee|unassigned at sourceware dot org |siddhesh at sourceware dot org Summary|mcheck does not set the |malloc_usable_size is |using_malloc_checking flag, |broken with mcheck |so malloc_usable_size | |returns an invalid size | Ever confirmed|0 |1 Last reconfirmed| |2021-07-12 --- Comment #1 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- (In reply to mo from comment #0) > The using_malloc_checking flag is only set in the __malloc_check_init > function, > which is called when enabling the additional security check via the > environment variable MALLOC_CHECK_. mcheck and MALLOC_CHECK_ are distinct features; using_malloc_checking flag is only for MALLOC_CHECK_ and makes no difference to mcheck... > When someone calls malloc_usable_size now, ultimately musable will check if > using_malloc_checking is set and call the special malloc_check_get_size > function. > Because the bit isn't set malloc_usable_size will return the value at the > normal size location which is the hdr->magic2 field now, which is set to > this: > > hdr->magic2 = (uintptr_t) hdr ^ MAGICWORD; > > While this will be rarely used apart from debugging, this could still have > some security implications as the value is most likely bigger than the > actual size and > if used for some bounds checking could lead to an overflow. ... however you're right in that this is a bug in mcheck. In needs to override malloc_usable_size like malloc_check does and provide its own result for size. I'll fix this after the malloc hooks have been removed and mcheck moved out into a separate debug library. Sample program: #include <stdio.h> #include <stdlib.h> #include <malloc.h> int main (int argc, char **argv) { size_t sz = 32; if (argc > 1) sz = strtoul (argv[2], NULL, 0); printf ("sz: %zu, usable: %zu\n", sz, malloc_usable_size (malloc (sz))); } Expected result: sz: 32, usable: 40 /* usable should be a valid value >= sz */ Actual result: sz: 32, usable: 4241992728 /* which is actually magic2 as OP pointed out */ -- You are receiving this mail because: You are on the CC list for the bug.
next parent reply other threads:[~2021-07-12 12:53 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <bug-22057-131@http.sourceware.org/bugzilla/> 2021-07-12 12:53 ` siddhesh at sourceware dot org [this message] 2021-07-12 18:03 ` hjl.tools at gmail dot com 2021-07-13 1:14 ` cvs-commit at gcc dot gnu.org 2021-07-22 13:17 ` siddhesh at sourceware dot org 2021-10-27 21:12 ` schwab@linux-m68k.org 2021-10-29 3:19 ` siddhesh at sourceware dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-22057-131-fJa5Knnv8r@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).