From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8882 invoked by alias); 10 Sep 2013 13:16:35 -0000 Mailing-List: contact libc-ports-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: libc-ports-owner@sourceware.org Received: (qmail 8839 invoked by uid 89); 10 Sep 2013 13:16:35 -0000 Received: from mail-wg0-f48.google.com (HELO mail-wg0-f48.google.com) (74.125.82.48) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Tue, 10 Sep 2013 13:16:35 +0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-HELO: mail-wg0-f48.google.com Received: by mail-wg0-f48.google.com with SMTP id n12so4146232wgh.15 for ; Tue, 10 Sep 2013 06:16:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:content-type:content-transfer-encoding; bh=bd8DPwzVivpj7MXM1jFVwCG/Np+4bLwuizKMGHknm/I=; b=UoITondLal7hCGTLLAelYlkGDLNgbzo6ZYOwVf4iY7y05KtW6zxWYH6hthMXkQUV/l sk2GY81O6vczXhhJx+v090rHmgOhcPKnHnn1lAObUSQxzH1TIpkIEYPgM3JWGzj/79yY DMa3dy2fisdTs3TuxywOwLGvNHhH3jdN6n1osIcGB96D+vhlboPhFoVRr+e1fztteWiJ lUH6PnxgoisNb2OwlPmVW6ByBVvqeS4fadGgxOfQOgtXrMEHCaApNCZhTCCUGPLZf+3R cEY/+NQymV/v7NV5gR9iX2nRG9LBBU66hHMCOu/KIb49hP9/E83ir8IgloTVlgjIJuxZ TYOA== X-Gm-Message-State: ALoCoQljPbdBVYPWlAZS42/FdHilEM9uGjHTDpsZ7VmWar40X7OOGxHQqxrFMxVtdXKTINqIgsJN X-Received: by 10.180.74.164 with SMTP id u4mr12817788wiv.17.1378818991578; Tue, 10 Sep 2013 06:16:31 -0700 (PDT) Received: from localhost.localdomain (cpc6-seac21-2-0-cust453.7-2.cable.virginmedia.com. [82.1.113.198]) by mx.google.com with ESMTPSA id mb7sm3499499wic.10.1969.12.31.16.00.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 10 Sep 2013 06:16:30 -0700 (PDT) Message-ID: <522F1BAD.7070502@linaro.org> Date: Tue, 10 Sep 2013 13:16:00 -0000 From: Will Newton User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: libc-ports@sourceware.org CC: patches@linaro.org Subject: [PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc. Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2013-09/txt/msg00076.txt.bz2 A large bytes parameter to valloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-08-16 Will Newton [BZ #15856] * malloc/malloc.c (__libc_valloc): Check the value of bytes does not overflow. --- malloc/malloc.c | 7 +++++++ 1 file changed, 7 insertions(+) Changes in v3: - Reorder if condition - Set errno appropriately diff --git a/malloc/malloc.c b/malloc/malloc.c index 7f43ba3..3148c5f 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + void *(*hook) (size_t, size_t, const void *) = force_reg (__memalign_hook); if (__builtin_expect (hook != NULL, 0)) -- 1.8.1.4