From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1944) id 6DFCD3851537; Thu, 27 Oct 2022 13:49:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6DFCD3851537 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1666878593; bh=+8rec5zI99T2rGk3k8LRvtm9T0qdXeEbwWB3jRcGB3k=; h=From:To:Subject:Date:From; b=hL5nEBMf2V7bbLTCah2L77GB4zrVwaKYQOWtBZPZAgbzJKIQL/RABxsG0x3U2Eu+F NZOZbxI+r2OdL6/CD5Rd4LPh0JU7VNjC9Z50TE42oiOcyMK7FGpXIObkpS4LasbfrI jQGiMYbjNKVt04YQ5zBi80DME3H9KUJYaO3gBtTY= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Szabolcs Nagy To: glibc-cvs@sourceware.org Subject: [glibc/arm/morello/main] Fix malloc/tst-scratch_buffer OOB access X-Act-Checkin: glibc X-Git-Author: Szabolcs Nagy X-Git-Refname: refs/heads/arm/morello/main X-Git-Oldrev: 5f1f0f9a718b67c6205dbb90760a0f72385dc205 X-Git-Newrev: 1dc3098e2c316254d6a9cb50797f2eca9be92b9f Message-Id: <20221027134953.6DFCD3851537@sourceware.org> Date: Thu, 27 Oct 2022 13:49:52 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1dc3098e2c316254d6a9cb50797f2eca9be92b9f commit 1dc3098e2c316254d6a9cb50797f2eca9be92b9f Author: Szabolcs Nagy Date: Tue Oct 11 13:23:25 2022 +0100 Fix malloc/tst-scratch_buffer OOB access The test used scratch_buffer_dupfree incorrectly: - The passed in size must be <= buf.length. - Must be called at most once on a buf object since it frees it. - After it is called buf.data and buf.length must not be accessed. All of these were violated, the test happened to work because the buffer was on the stack, which meant the test copied out-of-bounds bytes from the stack into a new buffer and then compared those bytes. Run one test and avoid the issues above. Diff: --- malloc/tst-scratch_buffer.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/malloc/tst-scratch_buffer.c b/malloc/tst-scratch_buffer.c index 9fcb11ba2c..60a513ccc6 100644 --- a/malloc/tst-scratch_buffer.c +++ b/malloc/tst-scratch_buffer.c @@ -155,21 +155,13 @@ do_test (void) struct scratch_buffer buf; scratch_buffer_init (&buf); memset (buf.data, '@', buf.length); - - size_t sizes[] = { 16, buf.length, buf.length + 16 }; - for (int i = 0; i < array_length (sizes); i++) - { - /* The extra size is unitialized through realloc. */ - size_t l = sizes[i] > buf.length ? sizes[i] : buf.length; - void *r = scratch_buffer_dupfree (&buf, l); - void *c = xmalloc (l); - memset (c, '@', l); - TEST_COMPARE_BLOB (r, l, buf.data, l); - free (r); - free (c); - } - - scratch_buffer_free (&buf); + size_t l = 16 <= buf.length ? 16 : buf.length; + void *r = scratch_buffer_dupfree (&buf, l); + void *c = xmalloc (l); + memset (c, '@', l); + TEST_COMPARE_BLOB (r, l, c, l); + free (r); + free (c); } return 0; }