From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-ports-return-4477-listarch-libc-ports=sources.redhat.com@sourceware.org>
Received: (qmail 30086 invoked by alias); 10 Sep 2013 13:33:23 -0000
Mailing-List: contact libc-ports-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-ports.sourceware.org>
List-Subscribe: <mailto:libc-ports-subscribe@sourceware.org>
List-Post: <mailto:libc-ports@sourceware.org>
List-Help: <mailto:libc-ports-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: libc-ports-owner@sourceware.org
Received: (qmail 30031 invoked by uid 89); 10 Sep 2013 13:33:22 -0000
Received: from mail-ob0-f174.google.com (HELO mail-ob0-f174.google.com) (209.85.214.174) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Tue, 10 Sep 2013 13:33:22 +0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KHOP_THREADED,NO_RELAYS autolearn=ham version=3.3.2
X-HELO: mail-ob0-f174.google.com
Received: by mail-ob0-f174.google.com with SMTP id wd6so7146757obb.19        for <libc-ports@sourceware.org>; Tue, 10 Sep 2013 06:33:20 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.182.39.161 with SMTP id q1mr2844188obk.54.1378820000002; Tue, 10 Sep 2013 06:33:20 -0700 (PDT)
Received: by 10.182.88.194 with HTTP; Tue, 10 Sep 2013 06:33:19 -0700 (PDT)
In-Reply-To: <522F1BAD.7070502@linaro.org>
References: <522F1BAD.7070502@linaro.org>
Date: Tue, 10 Sep 2013 13:33:00 -0000
Message-ID: <CAAHN_R0z3qODfoNn51aGbuATCbf55Rwim=mfEA7DTtocSWKSrA@mail.gmail.com>
Subject: Re: [PATCH v3] [BZ #15856] malloc: Check for integer overflow in valloc.
From: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
To: Will Newton <will.newton@linaro.org>
Cc: libc-ports@sourceware.org, patches@linaro.org
Content-Type: text/plain; charset=ISO-8859-1
X-IsSubscribed: yes
X-SW-Source: 2013-09/txt/msg00077.txt.bz2

On 10 September 2013 18:46, Will Newton <will.newton@linaro.org> wrote:
>
> A large bytes parameter to valloc could cause an integer overflow
> and corrupt allocator internals. Check the overflow does not occur
> before continuing with the allocation.
>
> ChangeLog:
>
> 2013-08-16  Will Newton  <will.newton@linaro.org>
>
>         [BZ #15856]
>         * malloc/malloc.c (__libc_valloc): Check the value of bytes
>         does not overflow.
> ---
>  malloc/malloc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> Changes in v3:
>  - Reorder if condition
>  - Set errno appropriately
>
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index 7f43ba3..3148c5f 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
>
>    size_t pagesz = GLRO(dl_pagesize);
>
> +  /* Check for overflow.  */
> +  if (bytes > SIZE_MAX - pagesz - MINSIZE)
> +    {
> +      __set_errno (ENOMEM);
> +      return 0;
> +    }
> +
>    void *(*hook) (size_t, size_t, const void *) =
>      force_reg (__memalign_hook);
>    if (__builtin_expect (hook != NULL, 0))
> --
> 1.8.1.4
>

Wrong mailing list, but the patch is OK.

Thanks,
Siddhesh

-- 
http://siddhesh.in