1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
| | From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <vinschen@redhat.com>
Date: Tue, 17 Nov 2020 10:50:57 +0100
Subject: [PATCH] malloc/nano-malloc: correctly check for out-of-bounds
allocation reqs
The overflow check in mEMALIGn erroneously checks for INT_MAX,
albeit the input parameter is size_t. Fix this to check for
__SIZE_MAX__ instead. Also, it misses to check the req against
adding the alignment before calling mALLOc.
While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
nano_valloc, and Cygwin's (unused) dlpvalloc.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
---
newlib/libc/stdlib/mallocr.c | 7 ++++++-
newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++-
winsup/cygwin/malloc.cc | 4 ++++
3 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
index 9ad720ada..13d014cc8 100644
--- a/newlib/libc/stdlib/mallocr.c
+++ b/newlib/libc/stdlib/mallocr.c
@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
nb = request2size(bytes);
/* Check for overflow. */
- if (nb > INT_MAX || nb < bytes)
+ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
{
RERRNO = ENOMEM;
return 0;
@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
#endif
{
size_t pagesize = malloc_getpagesize;
+ if (bytes > __SIZE_MAX__ - pagesize)
+ {
+ RERRNO = ENOMEM;
+ return 0;
+ }
return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
}
diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c
index 6dbfba84b..1e0703948 100644
--- a/newlib/libc/stdlib/nano-mallocr.c
+++ b/newlib/libc/stdlib/nano-mallocr.c
@@ -580,8 +580,22 @@ void * nano_memalign(RARG size_t align, size_t s)
if ((align & (align-1)) != 0) return NULL;
align = MAX(align, MALLOC_ALIGN);
+
+ /* Make sure ma_size does not overflow */
+ if (s > __SIZE_MAX__ - CHUNK_ALIGN)
+ {
+ RERRNO = ENOMEM;
+ return NULL;
+ }
ma_size = ALIGN_SIZE(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN);
- size_with_padding = ma_size + align - MALLOC_ALIGN;
+
+ /* Make sure size_with_padding does not overflow */
+ if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN))
+ {
+ RERRNO = ENOMEM;
+ return NULL;
+ }
+ size_with_padding = ma_size + (align - MALLOC_ALIGN);
allocated = nano_malloc(RCALL size_with_padding);
if (allocated == NULL) return NULL;
@@ -644,6 +658,12 @@ void * nano_valloc(RARG size_t s)
#ifdef DEFINE_PVALLOC
void * nano_pvalloc(RARG size_t s)
{
+ /* Make sure size given to nano_valloc does not overflow */
+ if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN)
+ {
+ RERRNO = ENOMEM;
+ return NULL;
+ }
return nano_valloc(RCALL ALIGN_SIZE(s, MALLOC_PAGE_ALIGN));
}
#endif /* DEFINE_PVALLOC */
diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc
index 23c354074..8a1fc257e 100644
--- a/winsup/cygwin/malloc.cc
+++ b/winsup/cygwin/malloc.cc
@@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) {
size_t pagesz;
ensure_initialization();
pagesz = mparams.page_size;
+ if (bytes > MAX_REQUEST) {
+ MALLOC_FAILURE_ACTION;
+ return NULL;
+ }
return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
}
--
2.27.0
|