RFA: libiberty: cope with integer overflow in _objalloc_alloc
Florian Weimer
fweimer@redhat.com
Fri Aug 31 11:02:00 GMT 2012
On 08/31/2012 12:33 PM, Nick Clifton wrote:
> Hi DJ, Hi Ian,
>
> The _objalloc_alloc() function is currently vulnerable to an integer
> overflow if it is passed a negative length. For example if called
> with len = -3 and assuming that OBJALLOC_ALIGN is 4 then:
>
> line 122: len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
>
> So len = (-3 + 3) & ~ 3 = 0, and then the function returns a pointer
> that will be reused the next time _objalloc_alloc is called.
>
> Or suppose that len = -4, then:
>
> line 122: len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
>
> Which gives len = (-4 + 3) & ~3 = -4 and then:
>
> line 136: ret = (char *) malloc (CHUNK_HEADER_SIZE + len);
>
> So now the function returns a pointer to a memory block that is not
> even big enough to contain the chunk header.
>
> The proposed patch should take care of both of these scenarios. OK
> to apply ?
If I'm not mistaken, this doesn't cover the -3 case properly:
PTR
_objalloc_alloc (struct objalloc *o, unsigned long len)
{
len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
/* We avoid confusion from zero sized objects by always allocating
at least OBJALLOC_ALIGN bytes. */
if (len == 0)
len = OBJALLOC_ALIGN;
This still results in a pointer which is too small. And this code is
never called because the wraparound already happens in the
objalloc_alloc macro in the header file.
Here's a different patch which should not suffer from this problem:
<http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01986.html>
--
Florian Weimer / Red Hat Product Security Team
More information about the Gcc-patches
mailing list