@@ -68,6 +68,12 @@ Deprecated and removed features, and other changes affecting compatibility:
used by the Linux kernel. This affects the size and layout of those
structures.
+* Memory allocation functions malloc, calloc, realloc, reallocarray, valloc,
+ pvalloc, memalign, and posix_memalign fail now with total object size
+ larger than PTRDIFF_MAX. This is to avoid potential undefined behavior with
+ pointer subtraction within the allocated object, where results might
+ overflow the ptrdiff_t type.
+
Changes to build and runtime requirements:
* Python 3.4 or later is required to build the GNU C Library.
@@ -226,8 +226,9 @@ static void *
malloc_check (size_t sz, const void *caller)
{
void *victim;
+ size_t nb;
- if (sz + 1 == 0)
+ if (__builtin_add_overflow (sz, 1, &nb))
{
__set_errno (ENOMEM);
return NULL;
@@ -235,7 +236,7 @@ malloc_check (size_t sz, const void *caller)
__libc_lock_lock (main_arena.mutex);
top_check ();
- victim = _int_malloc (&main_arena, sz + 1);
+ victim = _int_malloc (&main_arena, nb);
__libc_lock_unlock (main_arena.mutex);
return mem2mem_check (victim, sz);
}
@@ -268,8 +269,9 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
INTERNAL_SIZE_T nb;
void *newmem = 0;
unsigned char *magic_p;
+ size_t rb;
- if (bytes + 1 == 0)
+ if (__builtin_add_overflow (bytes, 1, &rb))
{
__set_errno (ENOMEM);
return NULL;
@@ -289,7 +291,11 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
malloc_printerr ("realloc(): invalid pointer");
const INTERNAL_SIZE_T oldsize = chunksize (oldp);
- checked_request2size (bytes + 1, nb);
+ if (!checked_request2size (rb, &nb))
+ {
+ __set_errno (ENOMEM);
+ return NULL;
+ }
__libc_lock_lock (main_arena.mutex);
if (chunk_is_mmapped (oldp))
@@ -308,7 +314,7 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
{
/* Must alloc, copy, free. */
top_check ();
- newmem = _int_malloc (&main_arena, bytes + 1);
+ newmem = _int_malloc (&main_arena, rb);
if (newmem)
{
memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ);
@@ -320,8 +326,6 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
else
{
top_check ();
- INTERNAL_SIZE_T nb;
- checked_request2size (bytes + 1, nb);
newmem = _int_realloc (&main_arena, oldp, oldsize, nb);
}
@@ -1187,17 +1187,6 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
((uintptr_t)(MALLOC_ALIGNMENT == 2 * SIZE_SZ ? (p) : chunk2mem (p)) \
& MALLOC_ALIGN_MASK)
-
-/*
- Check if a request is so large that it would wrap around zero when
- padded and aligned. To simplify some other code, the bound is made
- low enough so that adding MINSIZE will also not wrap around zero.
- */
-
-#define REQUEST_OUT_OF_RANGE(req) \
- ((unsigned long) (req) >= \
- (unsigned long) (INTERNAL_SIZE_T) (-2 * MINSIZE))
-
/* pad request bytes into a usable size -- internal version */
#define request2size(req) \
@@ -1205,21 +1194,27 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
MINSIZE : \
((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
-/* Same, except also perform an argument and result check. First, we check
- that the padding done by request2size didn't result in an integer
- overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting
- size isn't so large that a later alignment would lead to another integer
- overflow. */
-#define checked_request2size(req, sz) \
-({ \
- (sz) = request2size (req); \
- if (((sz) < (req)) \
- || REQUEST_OUT_OF_RANGE (sz)) \
- { \
- __set_errno (ENOMEM); \
- return 0; \
- } \
-})
+/* Check if REQ overflows when padded and aligned and if the resulting value
+ is less than PTRDIFF_T. Returns TRUE and the requested size or MINSIZE in
+ case the value is less than MINSIZE on SZ or false if any of the previous
+ check fail. */
+static inline bool
+checked_request2size (size_t req, size_t *sz) __nonnull (1)
+{
+ size_t ret;
+ if (__glibc_unlikely (__builtin_add_overflow (req,
+ SIZE_SZ + MALLOC_ALIGN_MASK,
+ &ret)))
+ return false;
+
+ ret = ret < MINSIZE ? MINSIZE : ret & ~MALLOC_ALIGN_MASK;
+ if (__glibc_unlikely (ret > PTRDIFF_MAX))
+ return false;
+
+ *sz = ret;
+ return true;
+}
+
/*
--------------- Physical chunk operations ---------------
@@ -3109,6 +3104,9 @@ __libc_malloc (size_t bytes)
mstate ar_ptr;
void *victim;
+ _Static_assert (PTRDIFF_MAX <= SIZE_MAX / 2,
+ "PTRDIFF_MAX is not more than half of SIZE_MAX");
+
void *(*hook) (size_t, const void *)
= atomic_forced_read (__malloc_hook);
if (__builtin_expect (hook != NULL, 0))
@@ -3116,7 +3114,11 @@ __libc_malloc (size_t bytes)
#if USE_TCACHE
/* int_free also calls request2size, be careful to not pad twice. */
size_t tbytes;
- checked_request2size (bytes, tbytes);
+ if (!checked_request2size (bytes, &tbytes))
+ {
+ __set_errno (ENOMEM);
+ return NULL;
+ }
size_t tc_idx = csize2tidx (tbytes);
MAYBE_INIT_TCACHE ();
@@ -3253,7 +3255,11 @@ __libc_realloc (void *oldmem, size_t bytes)
&& !DUMPED_MAIN_ARENA_CHUNK (oldp))
malloc_printerr ("realloc(): invalid pointer");
- checked_request2size (bytes, nb);
+ if (!checked_request2size (bytes, &nb))
+ {
+ __set_errno (ENOMEM);
+ return NULL;
+ }
if (chunk_is_mmapped (oldp))
{
@@ -3363,13 +3369,6 @@ _mid_memalign (size_t alignment, size_t bytes, void *address)
return 0;
}
- /* Check for overflow. */
- if (bytes > SIZE_MAX - alignment - MINSIZE)
- {
- __set_errno (ENOMEM);
- return 0;
- }
-
/* Make sure alignment is power of 2. */
if (!powerof2 (alignment))
@@ -3429,14 +3428,16 @@ __libc_pvalloc (size_t bytes)
void *address = RETURN_ADDRESS (0);
size_t pagesize = GLRO (dl_pagesize);
- size_t rounded_bytes = ALIGN_UP (bytes, pagesize);
-
- /* Check for overflow. */
- if (bytes > SIZE_MAX - 2 * pagesize - MINSIZE)
+ size_t rounded_bytes;
+ /* ALIGN_UP with overflow check. */
+ if (__glibc_unlikely (__builtin_add_overflow (bytes,
+ pagesize - 1,
+ &rounded_bytes)))
{
__set_errno (ENOMEM);
return 0;
}
+ rounded_bytes = rounded_bytes & -(pagesize - 1);
return _mid_memalign (pagesize, rounded_bytes, address);
}
@@ -3446,30 +3447,24 @@ __libc_calloc (size_t n, size_t elem_size)
{
mstate av;
mchunkptr oldtop, p;
- INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
+ INTERNAL_SIZE_T sz, csz, oldtopsize;
void *mem;
unsigned long clearsize;
unsigned long nclears;
INTERNAL_SIZE_T *d;
+ ptrdiff_t bytes;
- /* size_t is unsigned so the behavior on overflow is defined. */
- bytes = n * elem_size;
-#define HALF_INTERNAL_SIZE_T \
- (((INTERNAL_SIZE_T) 1) << (8 * sizeof (INTERNAL_SIZE_T) / 2))
- if (__builtin_expect ((n | elem_size) >= HALF_INTERNAL_SIZE_T, 0))
+ if (__glibc_unlikely (__builtin_mul_overflow (n, elem_size, &bytes)))
{
- if (elem_size != 0 && bytes / elem_size != n)
- {
- __set_errno (ENOMEM);
- return 0;
- }
+ __set_errno (ENOMEM);
+ return NULL;
}
+ sz = bytes;
void *(*hook) (size_t, const void *) =
atomic_forced_read (__malloc_hook);
if (__builtin_expect (hook != NULL, 0))
{
- sz = bytes;
mem = (*hook)(sz, RETURN_ADDRESS (0));
if (mem == 0)
return 0;
@@ -3477,8 +3472,6 @@ __libc_calloc (size_t n, size_t elem_size)
return memset (mem, 0, sz);
}
- sz = bytes;
-
MAYBE_INIT_TCACHE ();
if (SINGLE_THREAD_P)
@@ -3625,12 +3618,16 @@ _int_malloc (mstate av, size_t bytes)
Convert request size to internal form by adding SIZE_SZ bytes
overhead plus possibly more to obtain necessary alignment and/or
to obtain a size of at least MINSIZE, the smallest allocatable
- size. Also, checked_request2size traps (returning 0) request sizes
+ size. Also, checked_request2size returns false for request sizes
that are so large that they wrap around zero when padded and
aligned.
*/
- checked_request2size (bytes, nb);
+ if (!checked_request2size (bytes, &nb))
+ {
+ __set_errno (ENOMEM);
+ return NULL;
+ }
/* There are no usable arenas. Fall back to sysmalloc to get a chunk from
mmap. */
@@ -4743,21 +4740,17 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
- checked_request2size (bytes, nb);
+ if (!checked_request2size (bytes, &nb))
+ {
+ __set_errno (ENOMEM);
+ return NULL;
+ }
/*
Strategy: find a spot within that chunk that meets the alignment
request, and then possibly free the leading and trailing space.
*/
-
- /* Check for overflow. */
- if (nb > SIZE_MAX - alignment - MINSIZE)
- {
- __set_errno (ENOMEM);
- return 0;
- }
-
/* Call malloc with worst case padding to hit alignment. */
m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
@@ -35,11 +35,12 @@
__BEGIN_DECLS
/* Allocate SIZE bytes of memory. */
-extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
+extern void *malloc (size_t __size) __THROW __attribute_malloc__
+ __attribute_alloc_size__ ((1)) __wur;
/* Allocate NMEMB elements of SIZE bytes each, all initialized to 0. */
extern void *calloc (size_t __nmemb, size_t __size)
-__THROW __attribute_malloc__ __wur;
+__THROW __attribute_malloc__ __attribute_alloc_size__ ((1, 2)) __wur;
/* Re-allocate the previously allocated block in __ptr, making the new
block SIZE bytes long. */
@@ -47,7 +48,7 @@ __THROW __attribute_malloc__ __wur;
the same pointer that was passed to it, aliasing needs to be allowed
between objects pointed by the old and new pointers. */
extern void *realloc (void *__ptr, size_t __size)
-__THROW __attribute_warn_unused_result__;
+__THROW __attribute_warn_unused_result__ __attribute_alloc_size__ ((2));
/* Re-allocate the previously allocated block in PTR, making the new
block large enough for NMEMB elements of SIZE bytes each. */
@@ -55,21 +56,23 @@ __THROW __attribute_warn_unused_result__;
the same pointer that was passed to it, aliasing needs to be allowed
between objects pointed by the old and new pointers. */
extern void *reallocarray (void *__ptr, size_t __nmemb, size_t __size)
-__THROW __attribute_warn_unused_result__;
+__THROW __attribute_warn_unused_result__ __attribute_alloc_size__ ((2, 3));
/* Free a block allocated by `malloc', `realloc' or `calloc'. */
extern void free (void *__ptr) __THROW;
/* Allocate SIZE bytes allocated to ALIGNMENT bytes. */
extern void *memalign (size_t __alignment, size_t __size)
-__THROW __attribute_malloc__ __wur;
+__THROW __attribute_malloc__ __attribute_alloc_size__ ((2)) __wur;
/* Allocate SIZE bytes on a page boundary. */
-extern void *valloc (size_t __size) __THROW __attribute_malloc__ __wur;
+extern void *valloc (size_t __size) __THROW __attribute_malloc__
+ __attribute_alloc_size__ ((1)) __wur;
/* Equivalent to valloc(minimum-page-that-holds(n)), that is, round up
__size to nearest pagesize. */
-extern void *pvalloc (size_t __size) __THROW __attribute_malloc__ __wur;
+extern void *pvalloc (size_t __size) __THROW __attribute_malloc__
+ __attribute_alloc_size__ ((1)) __wur;
/* Underlying allocation function; successive calls should return
contiguous pieces of memory. */
@@ -226,6 +226,16 @@ do_test (void)
test_large_aligned_allocations (SIZE_MAX - i);
}
+ /* Allocation larger than PTRDIFF_MAX does play well with C standard,
+ since pointer subtraction within the object might overflow ptrdiff_t
+ resulting in undefined behavior. To prevent it malloc function fail
+ for such allocations. */
+ for (size_t i = 0; i <= FOURTEEN_ON_BITS; i++)
+ {
+ test_large_allocations (PTRDIFF_MAX + i);
+ test_large_aligned_allocations (PTRDIFF_MAX + i);
+ }
+
#if __WORDSIZE >= 64
/* On 64-bit targets, we need to test a much wider range of too-large
sizes, so we test at intervals of (1 << 50) that allocation sizes
@@ -21,6 +21,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <libc-diag.h>
static int errors = 0;
@@ -41,9 +42,18 @@ do_test (void)
errno = 0;
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we want to test
+ that they fail. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
/* An attempt to allocate a huge value should return NULL and set
errno to ENOMEM. */
p = memalign (sizeof (void *), -1);
+#if __GNUC_PREREQ (7, 0)
+ DIAG_POP_NEEDS_COMMENT;
+#endif
save = errno;
@@ -21,6 +21,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <libc-diag.h>
static int errors = 0;
@@ -41,9 +42,18 @@ do_test (void)
p = NULL;
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we want to test
+ that they fail. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
/* An attempt to allocate a huge value should return ENOMEM and
p should remain NULL. */
ret = posix_memalign (&p, sizeof (void *), -1);
+#if __GNUC_PREREQ (7, 0)
+ DIAG_POP_NEEDS_COMMENT;
+#endif
if (ret != ENOMEM)
merror ("posix_memalign (&p, sizeof (void *), -1) succeeded.");
@@ -21,6 +21,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <libc-diag.h>
static int errors = 0;
@@ -41,9 +42,18 @@ do_test (void)
errno = 0;
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we want to test
+ that they fail. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
/* An attempt to allocate a huge value should return NULL and set
errno to ENOMEM. */
p = pvalloc (-1);
+#if __GNUC_PREREQ (7, 0)
+ DIAG_POP_NEEDS_COMMENT;
+#endif
save = errno;
@@ -20,6 +20,23 @@
#include <malloc.h>
#include <string.h>
#include <support/check.h>
+#include <libc-diag.h>
+
+static void *
+reallocarray_nowarn (void *ptr, size_t nmemb, size_t size)
+{
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we want to test
+ that they fail. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
+ void *ret = reallocarray (ptr, nmemb, size);
+#if __GNUC_PREREQ (7, 0)
+ DIAG_POP_NEEDS_COMMENT;
+#endif
+ return ret;
+}
+
static int
do_test (void)
@@ -34,24 +51,24 @@ do_test (void)
/* Test overflow detection. */
errno = 0;
- ptr = reallocarray (NULL, max, 2);
+ ptr = reallocarray_nowarn (NULL, max, 2);
TEST_VERIFY (!ptr);
TEST_VERIFY (errno == ENOMEM);
errno = 0;
- ptr = reallocarray (NULL, 2, max);
+ ptr = reallocarray_nowarn (NULL, 2, max);
TEST_VERIFY (!ptr);
TEST_VERIFY (errno == ENOMEM);
a = 65537;
b = max/65537 + 1;
errno = 0;
- ptr = reallocarray (NULL, a, b);
+ ptr = reallocarray_nowarn (NULL, a, b);
TEST_VERIFY (!ptr);
TEST_VERIFY (errno == ENOMEM);
errno = 0;
- ptr = reallocarray (NULL, b, a);
+ ptr = reallocarray_nowarn (NULL, b, a);
TEST_VERIFY (!ptr);
TEST_VERIFY (errno == ENOMEM);
@@ -97,7 +114,7 @@ do_test (void)
/* Overflow should leave buffer untouched. */
errno = 0;
- ptr2 = reallocarray (ptr, 2, ~(size_t)0);
+ ptr2 = reallocarray_nowarn (ptr, 2, ~(size_t)0);
TEST_VERIFY (!ptr2);
TEST_VERIFY (errno == ENOMEM);
@@ -21,6 +21,7 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
+#include <libc-diag.h>
static int errors = 0;
@@ -41,9 +42,18 @@ do_test (void)
errno = 0;
+ DIAG_PUSH_NEEDS_COMMENT;
+#if __GNUC_PREREQ (7, 0)
+ /* GCC 7 warns about too-large allocations; here we want to test
+ that they fail. */
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+#endif
/* An attempt to allocate a huge value should return NULL and set
errno to ENOMEM. */
p = valloc (-1);
+#if __GNUC_PREREQ (7, 0)
+ DIAG_POP_NEEDS_COMMENT;
+#endif
save = errno;
@@ -536,10 +536,11 @@ extern int lcong48_r (unsigned short int __param[7],
#endif /* Use misc or X/Open. */
/* Allocate SIZE bytes of memory. */
-extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
+extern void *malloc (size_t __size) __THROW __attribute_malloc__
+ __attribute_alloc_size__ ((1)) __wur;
/* Allocate NMEMB elements of SIZE bytes each, all initialized to 0. */
extern void *calloc (size_t __nmemb, size_t __size)
- __THROW __attribute_malloc__ __wur;
+ __THROW __attribute_malloc__ __attribute_alloc_size__ ((1, 2)) __wur;
/* Re-allocate the previously allocated block
in PTR, making the new block SIZE bytes long. */
@@ -547,7 +548,7 @@ extern void *calloc (size_t __nmemb, size_t __size)
the same pointer that was passed to it, aliasing needs to be allowed
between objects pointed by the old and new pointers. */
extern void *realloc (void *__ptr, size_t __size)
- __THROW __attribute_warn_unused_result__;
+ __THROW __attribute_warn_unused_result__ __attribute_alloc_size__ ((2));
#ifdef __USE_MISC
/* Re-allocate the previously allocated block in PTR, making the new
@@ -556,7 +557,8 @@ extern void *realloc (void *__ptr, size_t __size)
the same pointer that was passed to it, aliasing needs to be allowed
between objects pointed by the old and new pointers. */
extern void *reallocarray (void *__ptr, size_t __nmemb, size_t __size)
- __THROW __attribute_warn_unused_result__;
+ __THROW __attribute_warn_unused_result__
+ __attribute_alloc_size__ ((2, 3));
#endif
/* Free a block allocated by `malloc', `realloc' or `calloc'. */
@@ -569,7 +571,8 @@ extern void free (void *__ptr) __THROW;
#if (defined __USE_XOPEN_EXTENDED && !defined __USE_XOPEN2K) \
|| defined __USE_MISC
/* Allocate SIZE bytes on a page boundary. The storage cannot be freed. */
-extern void *valloc (size_t __size) __THROW __attribute_malloc__ __wur;
+extern void *valloc (size_t __size) __THROW __attribute_malloc__
+ __attribute_alloc_size__ ((1)) __wur;
#endif
#ifdef __USE_XOPEN2K