From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1944) id 765443853D7E; Wed, 23 Nov 2022 14:39:51 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 765443853D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1669214391; bh=ANojnK6Qa6admnbgqLpclDscxo0aIjyAyczCn2Q9c7A=; h=From:To:Subject:Date:From; b=aOeZqOhuxqE2HMahr7aWPeqJCZyX+iGXabRcWj4VOwh59VjJCBvuxWCRGWallKuOS N2mzNNBHkWsv9tCO6DMUcQquAFd3a54R1MqNWvhzCQQ9U9gjNryZDIwSVvIg9HkhDQ D1rFrvRiMTdVCJHxTvhZkCIyLj0JnNY1OOTToKK8= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Szabolcs Nagy To: glibc-cvs@sourceware.org Subject: [glibc/arm/morello/main] Fix malloc/tst-scratch_buffer OOB access X-Act-Checkin: glibc X-Git-Author: Szabolcs Nagy X-Git-Refname: refs/heads/arm/morello/main X-Git-Oldrev: 65c576e7e58d99d80e294e6c0c02a530ca9375fb X-Git-Newrev: 2a287534c18a37536141e94dc98685a4ce10f89f Message-Id: <20221123143951.765443853D7E@sourceware.org> Date: Wed, 23 Nov 2022 14:39:51 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2a287534c18a37536141e94dc98685a4ce10f89f commit 2a287534c18a37536141e94dc98685a4ce10f89f Author: Szabolcs Nagy Date: Tue Oct 11 13:23:25 2022 +0100 Fix malloc/tst-scratch_buffer OOB access The test used scratch_buffer_dupfree incorrectly: - The passed in size must be <= buf.length. - Must be called at most once on a buf object since it frees it. - After it is called buf.data and buf.length must not be accessed. All of these were violated, the test happened to work because the buffer was on the stack, which meant the test copied out-of-bounds bytes from the stack into a new buffer and then compared those bytes. Run one test and avoid the issues above. Diff: --- malloc/tst-scratch_buffer.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/malloc/tst-scratch_buffer.c b/malloc/tst-scratch_buffer.c index 9fcb11ba2c..60a513ccc6 100644 --- a/malloc/tst-scratch_buffer.c +++ b/malloc/tst-scratch_buffer.c @@ -155,21 +155,13 @@ do_test (void) struct scratch_buffer buf; scratch_buffer_init (&buf); memset (buf.data, '@', buf.length); - - size_t sizes[] = { 16, buf.length, buf.length + 16 }; - for (int i = 0; i < array_length (sizes); i++) - { - /* The extra size is unitialized through realloc. */ - size_t l = sizes[i] > buf.length ? sizes[i] : buf.length; - void *r = scratch_buffer_dupfree (&buf, l); - void *c = xmalloc (l); - memset (c, '@', l); - TEST_COMPARE_BLOB (r, l, buf.data, l); - free (r); - free (c); - } - - scratch_buffer_free (&buf); + size_t l = 16 <= buf.length ? 16 : buf.length; + void *r = scratch_buffer_dupfree (&buf, l); + void *c = xmalloc (l); + memset (c, '@', l); + TEST_COMPARE_BLOB (r, l, c, l); + free (r); + free (c); } return 0; }