From patchwork Tue Nov  7 15:27:07 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Istvan Kurucsai <pistukem@gmail.com>
X-Patchwork-Id: 24142
Received: (qmail 71521 invoked by alias); 7 Nov 2017 15:27:34 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 71453 invoked by uid 89); 7 Nov 2017 15:27:33 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.1 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM,
	SPF_PASS autolearn=ham version=3.3.2
	spammy=Hx-spam-relays-external:74.125.82.67, H*RU:74.125.82.67
X-HELO: mail-wm0-f67.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=QRR3y+r48rQ6oLvBV55quiE5HrINxkhre9JpJYyA/+E=;
	b=gTrHCNNl95N7dPSxA5x9eqK0RgHxgFPsPsdDMvA8U7WrHKMS39lWn5ToW6PyoyPj2a
	4MEl7uwIX8Z1ZMMPZnWJ0cZZecd/FLoWJWUBnm3VfAJaJKyBbAw7h5ZAtnOfF/dB03UI
	UT2l5KgjXfmxIeJu7TUdIHJx3/NuafReHq7infIyiFh/1Dx0NoX/pXXQ5l8xIgfWZATV
	mBjeH8vRB10ySGdXfx4rly5XqkKCyNmBuf0dKO8ORsyr/f6qa+PFKiUgfsEz4Ig/fB3H
	kDl0iaDVs1IheFUUnct6xysxRFh3tVYIBJyynrXpea+5M+1gRc1pP+WpqzWS0GmBIVb8
	yaHg==
X-Gm-Message-State: AJaThX6DptbQTuzsWkKZ5fW7O7QGFHUKr9VrmViZyrPoFStQA6XthJMs
	bzGhC7sWcKEn4m8wTaRu+YH7AjhD
X-Google-Smtp-Source: 
 ABhQp+SXqWqee24ei2aRUDFdOBi8s8yRQW5vSVzhju/aqymL5OseLy3zlu13KVbBrqE6kYSPaa6rgQ==
X-Received: by 10.28.54.22 with SMTP id d22mr1581920wma.120.1510068445294;
	Tue, 07 Nov 2017 07:27:25 -0800 (PST)
From: Istvan Kurucsai <pistukem@gmail.com>
To: libc-alpha@sourceware.org
Cc: Istvan Kurucsai <pistukem@gmail.com>
Subject: [PATCH v2 4/7] malloc: Ensure lower bound on chunk size in
	__libc_realloc.
Date: Tue,  7 Nov 2017 16:27:07 +0100
Message-Id: <1510068430-27816-5-git-send-email-pistukem@gmail.com>
In-Reply-To: <1510068430-27816-1-git-send-email-pistukem@gmail.com>
References: <1510068430-27816-1-git-send-email-pistukem@gmail.com>

Under some circumstances, a chunk size of SIZE_SZ could lead to an underflow
when calculating the length argument of memcpy.

   * malloc/malloc.c (__libc_realloc): Check chunk size.
---
 malloc/malloc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 51d703c..8e48952 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3154,8 +3154,9 @@ __libc_realloc (void *oldmem, size_t bytes)
      accident or by "design" from some intruder.  We need to bypass
      this check for dumped fake mmap chunks from the old main arena
      because the new malloc may provide additional alignment.  */
-  if ((__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0)
-       || __builtin_expect (misaligned_chunk (oldp), 0))
+  if ((__glibc_unlikely ((uintptr_t) oldp > (uintptr_t) -oldsize)
+       || __glibc_unlikely (misaligned_chunk (oldp))
+       || __glibc_unlikely (oldsize <= 2 * SIZE_SZ))
       && !DUMPED_MAIN_ARENA_CHUNK (oldp))
       malloc_printerr ("realloc(): invalid pointer");