From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Subject: Re: [PATCH v6] Add reallocarray function.
Date: Tue, 30 May 2017 15:17:00 -0000 [thread overview]
Message-ID: <4d4e86c6-7b9e-8e4f-414d-0fa3c4f4470c@linaro.org> (raw)
In-Reply-To: <20170522202515.19374-1-denniswoelfing@gmx.de>
On 22/05/2017 17:25, Dennis Wölfing wrote:
> The reallocarray function is an extension from OpenBSD. It is an
> integer-overflow-safe replacement for realloc(p, X*Y) and
> malloc(X*Y) (realloc(NULL, X*Y)). It can therefore help in preventing
> certain security issues in code.
>
> This is an updated version of a patch originally submitted by Rüdiger
> Sonderfeld in May 2014.
> See <https://sourceware.org/ml/libc-alpha/2014-05/msg00481.html>.
>
> Tested on i686 and x86_64.
>
> 2017-05-22 Dennis Wölfing <denniswoelfing@gmx.de>
> Rüdiger Sonderfeld <ruediger@c-plusplus.de>
>
> * include/stdlib.h (__libc_reallocarray): New declaration.
> * malloc/Makefile (routines): Add reallocarray.
> (tests): Add tst-reallocarray.c.
> * malloc/Versions: Add reallocarray and __libc_reallocarray.
> * malloc/malloc-internal.h (check_mul_overflow_size_t): New inline
> function.
> * malloc/malloc.h (reallocarray): New declaration.
> * stdlib/stdlib.h (reallocarray): Likewise.
> * malloc/reallocarray.c: New file.
> * malloc/tst-reallocarray.c: New test file.
> * manual/memory.texi: Document reallocarray.
> * sysdeps/unix/sysv/linux/aarch64/libc.abilist: Add reallocarray.
> * sysdeps/unix/sysv/linux/alpha/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/arm/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/hppa/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/i386/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/ia64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/microblaze/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/nios2/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist:
> Likewise.
> * sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist:
> Likewise.
> * sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist: Likewise.
> * sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/sh/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/tilepro/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/x86_64/64/libc.abilist: Likewise.
> * sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist: Likewise.
LGTM with some nits below.
> diff --git a/NEWS b/NEWS
> index b4ecd6201d..e70bff01db 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -66,6 +66,8 @@ Version 2.26
> * The port to Native Client running on ARMv7-A (--host=arm-nacl) has been
> removed.
>
> +* The reallocarray function has been added to libc.
> +
> Security related changes:
I would extend it a bit by describing what reallocarray is intended to
(maybe something as 'It is a realloc replacement with a check for integer
overflow when calculating total allocation size').
> diff --git a/malloc/tst-reallocarray.c b/malloc/tst-reallocarray.c
> new file mode 100644
> index 0000000000..e914e2938b
> --- /dev/null
> +++ b/malloc/tst-reallocarray.c
> @@ -0,0 +1,119 @@
> +/* Test for reallocarray.
> + Copyright (C) 2014-2017 Free Software Foundation, Inc.
It is a new file, so use 2017 instead.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <errno.h>
> +#include <malloc.h>
> +#include <string.h>
> +#include <support/check.h>
> +
> +static int
> +do_test (void)
> +
Extra line.
> diff --git a/manual/memory.texi b/manual/memory.texi
> index a256ca07b2..fb6b594ef1 100644
> --- a/manual/memory.texi
> +++ b/manual/memory.texi
> @@ -751,8 +751,8 @@ be a buffer that you use to hold a line being read from a file; no matter
> how long you make the buffer initially, you may encounter a line that is
> longer.
>
> -You can make the block longer by calling @code{realloc}. This function
> -is declared in @file{stdlib.h}.
> +You can make the block longer by calling @code{realloc} or
> +@code{reallocarray}. These functions are declared in @file{stdlib.h}.
> @pindex stdlib.h
>
> @comment malloc.h stdlib.h
> @@ -816,9 +816,29 @@ behavior, and will probably crash when @code{realloc} is passed a null
> pointer.
> @end deftypefun
>
> -Like @code{malloc}, @code{realloc} may return a null pointer if no
> -memory space is available to make the block bigger. When this happens,
> -the original block is untouched; it has not been modified or relocated.
> +@comment malloc.h stdlib.h
> +@comment BSD
> +@deftypefun {void *} reallocarray (void *@var{ptr}, size_t @var{nmemb}, size_t @var{size})
> +@safety{@prelim{}@mtsafe{}@asunsafe{@asulock{}}@acunsafe{@aculock{} @acsfd{} @acsmem{}}}
> +
> +The @code{reallocarray} function changes the size of the block whose address
> +is @var{ptr} to be long enough to contain a vector of @var{nmemb} elements,
> +each of size @var{size}. It is equivalent to @samp{realloc (@var{ptr},
> +@var{nmemb} * @var{size})}, except that @code{reallocarray} fails safely if
> +the multiplication overflows, by setting @code{errno} to @code{ENOMEM},
> +returning a null pointer, and leaving the original block unchanged.
> +
> +@code{reallocarray} should be used instead of @code{realloc} when the new size
> +of the allocated block is the result of a multiplication that might overflow.
> +
> +@strong{Portability Note:} This function is not part of any standard. It was
> +first introduced in OpenBSD 5.6.
> +@end deftypefun
I think it is worth to add FreeBSD 11.0 also supports it.
next prev parent reply other threads:[~2017-05-30 15:17 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-10 15:01 [PATCH] " Dennis Wölfing
2017-04-10 15:18 ` Zack Weinberg
2017-04-10 18:27 ` Dennis Wölfing
2017-04-16 13:19 ` Dennis Wölfing
2017-04-16 13:38 ` Florian Weimer
2017-04-10 16:03 ` Andreas Schwab
2017-04-11 7:55 ` Florian Weimer
2017-04-12 15:24 ` Dennis Wölfing
2017-04-12 16:35 ` Florian Weimer
2017-04-17 14:02 ` [PATCH v2] " Dennis Wölfing
2017-04-17 14:32 ` Florian Weimer
2017-04-17 14:34 ` Paul Eggert
2017-04-17 14:40 ` Dennis Wölfing
2017-04-17 14:44 ` Florian Weimer
2017-04-18 12:34 ` Carlos O'Donell
2017-04-18 14:29 ` Dennis Wölfing
2017-04-18 15:50 ` Carlos O'Donell
2017-04-18 15:57 ` Dennis Wölfing
2017-04-19 15:16 ` Joseph Myers
2017-04-19 15:02 ` Joseph Myers
2017-04-21 12:16 ` [PATCH v3] " Dennis Wölfing
2017-04-28 8:57 ` Dennis Wölfing
2017-05-08 7:07 ` Dennis Wölfing
2017-05-08 7:34 ` Florian Weimer
2017-05-10 13:03 ` [PATCH v4] " Dennis Wölfing
2017-05-10 21:29 ` DJ Delorie
2017-05-11 17:00 ` Dennis Wölfing
2017-05-11 17:28 ` DJ Delorie
2017-05-11 18:36 ` Dennis Wölfing
2017-05-11 18:41 ` DJ Delorie
2017-05-15 12:22 ` [PATCH v5] " Dennis Wölfing
2017-05-22 14:16 ` Dennis Wölfing
2017-05-22 18:24 ` DJ Delorie
2017-05-22 18:51 ` Zack Weinberg
2017-05-22 20:25 ` [PATCH v6] " Dennis Wölfing
2017-05-29 12:29 ` Dennis Wölfing
2017-05-30 16:02 ` DJ Delorie
2017-05-30 16:17 ` Zack Weinberg
2017-05-30 20:02 ` Dennis Wölfing
2017-05-30 20:35 ` Adhemerval Zanella
2017-05-30 20:38 ` Dennis Wölfing
2017-05-30 20:40 ` Adhemerval Zanella
2017-05-30 20:50 ` [PATCH v7] " Dennis Wölfing
2017-05-30 22:06 ` Adhemerval Zanella
2017-05-30 15:17 ` Adhemerval Zanella [this message]
2017-05-30 20:02 ` [PATCH v6] " Dennis Wölfing
2017-05-30 20:16 ` Florian Weimer
2017-05-30 20:27 ` Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d4e86c6-7b9e-8e4f-414d-0fa3c4f4470c@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).