diff options
| author | Marius Melzer <marius.melzer@kernkonzept.com> | 2025-08-04 14:10:33 +0200 | 
|---|---|---|
| committer | Waldemar Brodkorb <wbx@openadk.org> | 2025-08-07 19:07:24 +0200 | 
| commit | d452d5523acb0e89d2e36fa700cdd2da87186fb2 (patch) | |
| tree | af2cd7ab6ef347462855e0a778dce9a82cf4da48 /libc/sysdeps/linux/common-generic/bits/align64bit.h | |
| parent | 42e662234fb5caaa329d33edb943113f79b14239 (diff) | |
malloc-standard: Fix truncation problem in malloc
This fixes a bug that can lead to the calculation of a wrong bin `idx`,
which in turn leads to a too small chunk of memory being chosen for the
number of bytes (`nb`) to be allocated. This leads to a fault (or
possibly to memory being written in the wrong location) when using the
offset `nb` on top of the chunk for a write operation.
malloc() takes the number of bytes to allocate as size_t, but the
calculation of the global bin index idx is done via
malloc_largebin_index() which takes as parameter and calculates
internally with unsigned int. This leads, for large allocations, to a
truncation of the value and consequently to the idx being wrongly
calculated.
idx is an index into the bins which are sorted in ascending order of
size range of its including chunks (e.g. 8-16, 16-32, 32-64,...).
The malloc() algorithm depends on the idx being calculated such that
we begin searching only at a bin whose chunks are always large enough
to include the memory size to be allocated (nb).
If the idx is too small (as can happen due to the described integer
overflow), this code will lead to a write to a wrong
address (remainder->bk resp. remainder->fd) (lines from malloc.c):
1086    size = chunksize(victim);
1087
1088    /* We know the first chunk in this bin is big enough to use. */
1089    assert((unsigned long)(size) >= (unsigned long)(nb));
1108    remainder = chunk_at_offset(victim, nb);
1111    remainder->bk = remainder->fd = unsorted_chunks(av);
The chunk victim should normally be from a bin of a range where each
chunk is at least of the size nb. Since it's not, its size may be
smaller than nb. With assertions enabled the assertion in 1089 would
fail. Without assertions we add nb as an offset to the chunk but since
the size of the chunk is a lot smaller than nb, this will point to an
address somewhere else.
Signed-off-by: Marcus Haehnel <marcus.haehnel@kernkonzept.com>
Diffstat (limited to 'libc/sysdeps/linux/common-generic/bits/align64bit.h')
0 files changed, 0 insertions, 0 deletions
