Re: [RFC] Supporting malloc_usable_size

[Florian Weimer <fweimer@redhat.com>]

* Siddhesh Poyarekar:

> On 2022-12-02 07:03, Andreas Schwab wrote:
>> On Nov 24 2022, Siddhesh Poyarekar wrote:
>> 
>>> This is in context of this systemd issue:
>>>
>>> https://github.com/systemd/systemd/issues/22801
>>>
>>> through which I had discovered that systemd was (ab)using
>>> malloc_usable_size to use spare space in an allocated object.  This was
>>> discovered when _FORTIFY_SOURCE=3 flagged this as a buffer overflow,
>>> since the compiler is unable to see that the space beyond the allocation
>>> was safe to use.
>> Which it isn't.  Nothing prevents malloc to hand out the extra space
>> to
>> a different thread any time, so the size returned by malloc_usable_size
>> can get outdated instantly.
>
> Not with the current malloc implementation I suppose but I get what
> you mean.  Florian had mentioned a similar caveat where a malloc 
> implementation could coalesce adjacent free blocks with the end of an
> allocated block and change the value of malloc_usable_size at any 
> arbitrary point in time too.
>
> However the man page starts with "Although the excess bytes can be
> overwritten by the application without ill effects" and maybe that 
> reassurance needs to be dropped.

I think that is part of the interface contract.

During the life-time of an allocation, the observed return value can
only ever grow, never shrink.  That's how I read the interface
description (because it doesn't say the value is constant).

However, systemd has cases which seem incompatible even with that: The
code derives an array length from the malloc_usable_size return value.
It assumes that if it has initialized the array up to that length at one
point, all array elements are initialized.  But when the array length is
recomputed, new uninitialized elements may appear, so that's not really
correct.

Thanks,
Florian