From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) by sourceware.org (Postfix) with ESMTPS id DD6533858D39 for ; Tue, 25 Jan 2022 06:04:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DD6533858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-vk1-xa35.google.com with SMTP id n14so11635772vkk.6 for ; Mon, 24 Jan 2022 22:04:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=APgXgpc9MNieHtZwf+r/euQ9Rz6ghFvCDRjj8XXOGkE=; b=QY/3BmG5SSFzZSvI05yv7WXifY/PeRdeO8xPsUUo06v7u6fJ8qIb1VYW6R6d7SEiv6 14ZeKBwOQpooSv0dGiY27lWr2znaBvLFZBLWE9IXkimqDp7hmjNuFi0gBxcUnMPGC17n /kLgTAqcSlN0POg1Dlh6fZnTPyFdsj9rnlzoR8XSEIMCLAQEsz/wg5w3YyGIdmpqDuHa NPUpTKyWPUuj6tih6biNu8Y0LnhtJ2qUM8+DlBIIHoFsODzucdm5xvSt30aCwQsAPJUT myRYOwfwx0cJTN9GoKsv/DJZSRxlhnL3IeT8rvFdHF2cSxQdQ4KnfSrZI4rBuH8P01to EegA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=APgXgpc9MNieHtZwf+r/euQ9Rz6ghFvCDRjj8XXOGkE=; b=NvfwbdZ4L5E3vndBhXE0JH7Cru/IErLHhRU1pemh+nNQT60Vf5t8Tg2cTJrvY5EUeQ ko30JOvQraE2zYTUpeFV8YzYTmiJ6H8E+95J2wKC+lva6U7GipN3iv25F8Joobpbgoko YdZssDvpmnAnw3lXtGbNjRG5zATd0o4WAwA1xtVH2+7pjuY2zMcer0gYZvrqLepDOkg2 ARzpM11ulPTeGNRzgcGa6UTYrVp3qAjX+b5rCpnSwboasL7CKNSCJ7HdZxK2Jc9vzpIs /CqxU3TCQ53AtdgdRqLezY25Ba6oqBNXSl+ymeys+p4cVwzu2n39HuPuQVF+wP3TL+04 OWBA== X-Gm-Message-State: AOAM5336dNYuIJyu10unwskszn2OAe/LXy5PE9lcMxS5IYKL0esFh3EN s3qzhIk9fypZ53GmH3PTo7ppSY6Y/rEMRP3EPJgNI8PHyFY= X-Google-Smtp-Source: ABdhPJy4YeVH35VYiVi0dTLZVWEldPBfxtI5b3jWHBQCxm8ozTf6fwsByXC2Ke/I6+yUS0gBY52rc/TehLPpDcOj8a0= X-Received: by 2002:a05:6122:219e:: with SMTP id j30mr2760556vkd.19.1643090663241; Mon, 24 Jan 2022 22:04:23 -0800 (PST) MIME-Version: 1.0 From: Cyril Yared Date: Mon, 24 Jan 2022 22:04:11 -0800 Message-ID: Subject: Null-pointer dereference bug in nano-malloc To: newlib@sourceware.org X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jan 2022 06:04:24 -0000 Hi, It appears that commit 84d068971 introduced a null-pointer dereference in nano-malloc when the following two conditions are met: 1). The free_list has no items (= NULL). 2). The call to sbrk_aligned returns -1 (failure). On line 325 of newlib/libc/stdlib/nano-mallocr.c, there is a check: if ((char *)p + p->size == (char *)_SBRK_R(RCALL 0)) { If the two conditions are met, then p = free_list = NULL so p->size will be a null-pointer dereference. Is this something that's known/being tracked anywhere? Cyril