From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from elaine.keithp.com (home.keithp.com [63.227.221.253]) by sourceware.org (Postfix) with ESMTPS id 7E37F3857C40 for ; Tue, 11 Aug 2020 23:05:48 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 7E37F3857C40 Received: from localhost (localhost [127.0.0.1]) by elaine.keithp.com (Postfix) with ESMTP id 95E463F2CA9E for ; Tue, 11 Aug 2020 16:05:47 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at keithp.com Received: from elaine.keithp.com ([127.0.0.1]) by localhost (elaine.keithp.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id a1tQl4OJ8TZG for ; Tue, 11 Aug 2020 16:05:47 -0700 (PDT) Received: from keithp.com (koto.keithp.com [10.0.0.2]) by elaine.keithp.com (Postfix) with ESMTPSA id 399103F2CA55 for ; Tue, 11 Aug 2020 16:05:47 -0700 (PDT) Received: by keithp.com (Postfix, from userid 1000) id 221FD15821C1; Tue, 11 Aug 2020 16:05:47 -0700 (PDT) From: Keith Packard To: newlib@sourceware.org Subject: [PATCH 0/4] Fixes for memory allocation bugs Date: Tue, 11 Aug 2020 16:05:39 -0700 Message-Id: <20200811230543.2169774-1-keithp@keithp.com> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Aug 2020 23:05:49 -0000 There are two serious bug fixes here: 1) Check calloc/reallocarray for overflow in the multiply using __builtin_mul_overflow (which exists in gcc and clang). reallocarray was using some old BSD code for this, but __builtin_mul_overflow is both more efficient and more easily checked for correctness. 2) nano_realloc was copying too many bytes from the existing allocation when increasing the allocation size. This could lead to information disclosure, or a crash. And a couple of minor improvements: 3) When nano_realloc is shrinking "a lot", re-allocate the buffer to make the original memory available. 4) When nano_realloc is shrinking and the new allocation fails, just return the old buffer to avoid having applications see unnecessary failures.