From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by sourceware.org (Postfix) with ESMTPS id 3CB833857803 for ; Tue, 25 Jan 2022 15:44:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3CB833857803 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-x62c.google.com with SMTP id k17so2153531plk.0 for ; Tue, 25 Jan 2022 07:44:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/uFWAGGJ5b8XQbJrtRMxPGjjHAYzM2+MnSNiUERTOyY=; b=Hq9cyThbS5Qr4Tq8atioXc9lErIVySL+osr68c/7nHlMXOcIPZx3ZUAqY4S4l0eTv3 0KMBUbtGfcHlNXUHTqCwN3cea9VHd6C9VPtVA1y738+T9U7zZ5AhEJBtPLH0S4YMhkCn V6gR1IeBeFOhgdw6rzVcTLF6xKxax5ftTz5rkpVZPayDTzxzTyFOuPemoK6YSE3nTTCa 5xCaFjcbrfy4bLslogT8HUpjZCzSptIO9vgfQSM9mbTst/DkOUbqHa6cS6kBep4NVRVv e3u7g5xFzsOGwcBLcpnx44won/lE+Zu+ZlXTGrfyUZcf4zda8EYrOzVOA+3EHKPLTIhD pdAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=/uFWAGGJ5b8XQbJrtRMxPGjjHAYzM2+MnSNiUERTOyY=; b=lVGGQ1cx08i2hsSeIUZcg6L/54n3ot00f0kDi1ISsiMdZbx7lgmgVB/mKoTMLIMewR MKBQa21FvM6z2aTT4BmHekq00SYRB786OBQCylHlOtEoj3T3P6QD2eniA7H0/puRN2OU OMdv6sRj9vrFOBkkSvDWkNHInZJwykp3Ddf5wZNgC+XLYGPcWMgSy1oGqtNu6fBwGehj fNVEZfui39f07R+AfWU4V2QZCvQacILTS0hwQcN6ItHspgJUjZftLt6oyLOibFevziA6 9wR09Sjn3CJiSUnMQcu9ClWAHoEpWuaUR3SfQF9lE7fkd8xCoKvMEtFHu8rFf5MKgsnX TB5g== X-Gm-Message-State: AOAM532NKsAbpBKgYrvSLlQWDE7ob6u1XJdrwl7Lj+TN/0LJ4i2oa09p CEE9RyoLoZq61RMIAZptGeqJPsCz0+b3itM4 X-Google-Smtp-Source: ABdhPJyT6Mobyc9N6P2uWP1nSdXiTnXsvQiVIaMV1t9eEwDhOcYGgeOOS0/Xa3MccCOZQIhNofCgsg== X-Received: by 2002:a17:90b:1e05:: with SMTP id pg5mr4151547pjb.86.1643125457166; Tue, 25 Jan 2022 07:44:17 -0800 (PST) Received: from localhost.localdomain (104-183-80-100.lightspeed.irvnca.sbcglobal.net. [104.183.80.100]) by smtp.googlemail.com with ESMTPSA id mj23sm725225pjb.54.2022.01.25.07.44.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jan 2022 07:44:16 -0800 (PST) From: Cyril Yared To: newlib@sourceware.org Cc: Cyril Yared Subject: [PATCH 0/1] Fix null-pointer dereference in nano-malloc Date: Tue, 25 Jan 2022 07:44:09 -0800 Message-Id: <20220125154410.56045-1-yaredcyril@gmail.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122.2) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2022 15:44:19 -0000 Commit 84d068971 introduced a null-pointer dereference in nano-malloc when the following two conditions are met: 1). The free_list has no items (= NULL). 2). The call to sbrk_aligned returns -1 (failure). On line 325 of newlib/libc/stdlib/nano-mallocr.c, there is a check: if ((char *)p + p->size == (char *)_SBRK_R(RCALL 0)) { If the two conditions are met, then p = free_list = NULL so p->size will be a null-pointer dereference. Cyril Yared (1): Fix a potential null-pointer dereference in nano-malloc when calling malloc() while the free_list is empty and the call to sbrk_aligned fails. newlib/libc/stdlib/nano-mallocr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.21.0 (Apple Git-122.2)