From patchwork Thu Oct 27 15:33:36 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Szabolcs Nagy <szabolcs.nagy@arm.com>
X-Patchwork-Id: 59544
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 9E8303829BF2
	for <patchwork@sourceware.org>; Thu, 27 Oct 2022 15:37:51 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9E8303829BF2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1666885071;
	bh=Gif0sWXhROUG1GWvzhZEFPQlTih9FOhU8jNB9HGCQIs=;
	h=To:Subject:Date:In-Reply-To:References:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=JboUp5zIVSOKhuOCVR7paaQsFTkn8KoJyYDBjTLVHwrccU7J2c4pNZ1LpFEkK2kXE
	 YBlQeEEqfp8+tpyExcSmcmEZKfMuG3NOHsbuT/NRRHidKN156D/nlrVV9bBmA72gmZ
	 r0JWrtBpRZmGeB9Wy8P3x8FX6qSjdH+4W3lfLiAo=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from EUR03-DBA-obe.outbound.protection.outlook.com
 (mail-dbaeur03on2084.outbound.protection.outlook.com [40.107.104.84])
 by sourceware.org (Postfix) with ESMTPS id B11F0385151B
 for <libc-alpha@sourceware.org>; Thu, 27 Oct 2022 15:33:48 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B11F0385151B
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
 b=AmlrlGdgn9GIt9q7BQbO6xz9AMyAwriShv8U0xFmAovs/X5yhskmDRmR+XQ+P0T5/F6ZPRS4K2STwW25SWpoWH8SZnVGoYNIJvv48i8ydOgG5Fg0wSGjk54gC3DWXhNiZ2BArcuLQDYwJPdTtYcu1iLqP1eT5aaiJyLcQOi1YfH/LH9XfEvETIDXZm2+fdZmt300M7/9NtH+A1XLrzZVERI0Fsi2v3qqH6JwcsBjN6OL0yooCic9TtXEOwgDSKlLHNpTAaj9NQ22iJCuhz0SPoLyAd/bHvUA9RqRDpYx2Q0vB2nvKbRS58uL1UYLSTzOjc4ZH2tYCtoUXvQW150/3w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=Gif0sWXhROUG1GWvzhZEFPQlTih9FOhU8jNB9HGCQIs=;
 b=OmzNIRmvIGcn67mwTo+nvLIu9CeG822Qac1gFLYt5DdP8OzHzsDkzYFJn2u3FkOJ0yT+KJw0n1Ern50Qz4qhg6hdCijl/q0bGvP8OhuFupgZ3HsIWItRTCCMPSptQBUxw1DtG629KCBTFiQOe8sGwrKqYiVf64QZkkTFY3k2wGNYWswAzm31iD7VxoLriaYfaZzgiUtraUuGOu6D63PGRGVMXCgSWhNnIGseayS/TGyNxbi7kxxKfRvZIDWuXtYAfHCAZqALKnxnXio6MUHkdJGoA9+prEu8ebkm67v53zt1HkIezmACPL2JPEYu9KiCREURMZ0JV3WIykzcQGbL9A==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 63.35.35.123) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com;
 dkim=pass (signature was verified) header.d=armh.onmicrosoft.com; arc=pass (0
 oda=1 ltdi=1 spf=[1, 1, smtp.mailfrom=arm.com] dmarc=[1, 1,
 header.from=arm.com])
Received: from DU2PR04CA0162.eurprd04.prod.outlook.com (2603:10a6:10:2b0::17)
 by DBBPR08MB5962.eurprd08.prod.outlook.com (2603:10a6:10:202::15)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.29; Thu, 27 Oct
 2022 15:33:46 +0000
Received: from DBAEUR03FT059.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:10:2b0:cafe::a9) by DU2PR04CA0162.outlook.office365.com
 (2603:10a6:10:2b0::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.23 via Frontend
 Transport; Thu, 27 Oct 2022 15:33:46 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
 smtp.mailfrom=arm.com; dkim=pass (signature was verified)
 header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
 pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
 DBAEUR03FT059.mail.protection.outlook.com (100.127.142.102) with
 Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5769.14 via Frontend Transport; Thu, 27 Oct 2022 15:33:46 +0000
Received: ("Tessian outbound b4aebcc5bc64:v130");
 Thu, 27 Oct 2022 15:33:46 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: c2a68d14b5087567
X-CR-MTA-TID: 64aa7808
Received: from e1d654550a55.1
 by 64aa7808-outbound-1.mta.getcheckrecipient.com id
 E4E7F4DA-8937-424B-B000-DED55FB3A69C.1;
 Thu, 27 Oct 2022 15:33:39 +0000
Received: from EUR03-AM7-obe.outbound.protection.outlook.com
 by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id
 e1d654550a55.1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
 Thu, 27 Oct 2022 15:33:39 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ntwGXgvqNChc50X493dZfQD3ZDb4j3U8cmXZkgGBCv5HATTkMRDyN4GUI/8YdhkaZ3+lRJp+gBZx/EPZA2Q2ZNYGm74AKneiJYf3sG+6F4tTr6VrPgqxY9qK/IcrxmJZFEC9mUayWO2ych933ZzuepblqUxPDGm1otAcok4/RGWMjlpqyz2s7AlPUgFQKAKdFrYJ4ZNagztfTr9OUyp7c0paIBwhOaqsYggl3oOBNJ16n2HafZmyki8EVhpoBvA59nJb37gUnGMTPz/aexIy5aqHBQePU05Jbbs2zN7MSeTdwNy9ZuKJyCPVjb8UP07QrqHPXUJSxlGUucvy9uLI4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=Gif0sWXhROUG1GWvzhZEFPQlTih9FOhU8jNB9HGCQIs=;
 b=QT1/i0IeejdylFTmURaQc9xe43A7l2iOI276xRVf33RJwFbBh3cWKdEgu+NM47nUBt17qp8IzoNCYAr9rQ7sAmaKwgbr86btzJoBpxhUMbHtT+wZvnquyAVP+yhpsw3B0nX78hMo76m7jWwNBUFe04ZTcDqb1b2BFRdTcHTPsfkNjKDmd+agY8l9viXxx3SptHSPY9oMksQFRbvzxNcDmdJzpZGBnGVDC43LJxIbJ7wGHt1RsaGuc0HPGgBbUXOKH3rF3wZbmWiJ2NM9mF/PBr5Bbh1o/nRofIPJkNcHDBetZ3tJNBBAg94evLv8A3A7ls3TT9cXSY9MeFNg9N0fyw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 40.67.248.234) smtp.rcpttodomain=sourceware.org smtp.mailfrom=arm.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com;
 dkim=none (message not signed); arc=none
Received: from AM6P195CA0081.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:86::22)
 by DBAPR08MB5718.eurprd08.prod.outlook.com (2603:10a6:10:1a9::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28; Thu, 27 Oct
 2022 15:33:37 +0000
Received: from AM7EUR03FT032.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:209:86:cafe::c0) by AM6P195CA0081.outlook.office365.com
 (2603:10a6:209:86::22) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.28 via Frontend
 Transport; Thu, 27 Oct 2022 15:33:37 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 40.67.248.234)
 smtp.mailfrom=arm.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 40.67.248.234 as permitted sender) receiver=protection.outlook.com;
 client-ip=40.67.248.234; helo=nebula.arm.com; pr=C
Received: from nebula.arm.com (40.67.248.234) by
 AM7EUR03FT032.mail.protection.outlook.com (100.127.140.65) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.5746.16 via Frontend Transport; Thu, 27 Oct 2022 15:33:37 +0000
Received: from AZ-NEU-EX03.Arm.com (10.251.24.31) by AZ-NEU-EX03.Arm.com
 (10.251.24.31) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.12; Thu, 27 Oct
 2022 15:33:37 +0000
Received: from armchair.cambridge.arm.com (10.2.80.71) by mail.arm.com
 (10.251.24.31) with Microsoft SMTP Server id 15.1.2507.12 via Frontend
 Transport; Thu, 27 Oct 2022 15:33:36 +0000
To: <libc-alpha@sourceware.org>
Subject: [PATCH 16/20] Fix malloc/tst-scratch_buffer OOB access
Date: Thu, 27 Oct 2022 16:33:36 +0100
Message-ID: 
 <b4ecb76a1c47dfac8344706e365686bd2620affe.1666877952.git.szabolcs.nagy@arm.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <cover.1666877952.git.szabolcs.nagy@arm.com>
References: <cover.1666877952.git.szabolcs.nagy@arm.com>
MIME-Version: 1.0
X-EOPAttributedMessage: 1
X-MS-TrafficTypeDiagnostic: 
 AM7EUR03FT032:EE_|DBAPR08MB5718:EE_|DBAEUR03FT059:EE_|DBBPR08MB5962:EE_
X-MS-Office365-Filtering-Correlation-Id: d7faaca8-a27b-49af-d051-08dab830a359
x-checkrecipientrouted: true
NoDisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 
 s/484bnvUNQYUt+LqkSb02nr8T5EdcSp95mIuy+uEQg0GtyGLJH9qxf5CCPIXd6LV9h8c0Cc1w8csqLCoy8lKpn5I/rqdNYZKlq1S/vVp6ZKj2OYTEL2eHTgp+/495XOsJNoUZOKvVZaIjRKNTwWzMiHCdQt5iTFcEYbKGJex91HOwgbvuL4uas81DuTr4zaG88NAHdyBNGS3VacK989aRlj4TNSP5fEvq83ntvmifLoinISlvSAjRqL4WeXi1ChYCNfQvs6NoxkeRVxwcp+nl46ZuN4BZAEVcqukV8DEZmwsOajYdg4etihi4zviw6TBLYOY41wImMyam4aTitidOqaDvztpoPA7ye6HO7PsLQv+jttkjBBoRq8BsKnF+xZYnoYdVJ/qxUrUlVZSIt7vi8qYyXISjhSrlWMbkhn/JpUHkOomHFL4sR+X3izgw9fMUqHJ0XrYoSBWapd42r0Xo4tw3/b+tMlJNWgAKlx2Sb72GMZCT9Bys9kCc0jpDhFlHiQTvEZBQBEqPrS/f0hQHp0SFSGhcUCffbQlRX8UzRUSUTfIAhsOR83b5D0KU1tkg/V2UiYHhLhCMDMySWRlKfxjLWOAXcgrITak+vPvrlJyse7kns6iHZkxMwk4YQYOPOmr7gmnAlezL0o4pdm9f/NskoWEYB5GiDe6KiI24KnsO1ajhm365iSMPu1TWnVGmU6KemRwnFRTW42ClpW7FFzuWLgE/ddP6a9eMDPKdg5lnj2qVr7cjHDg/p4tlNviye4aV9XnuGH3C7rV0JL/jd+NfzQfE1J5b1IEsxtJh0cTm88QPjcHnLjNOmDWRbP
X-Forefront-Antispam-Report-Untrusted: CIP:40.67.248.234; CTRY:IE; LANG:en;
 SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:nebula.arm.com; PTR:InfoDomainNonexistent;
 CAT:NONE;
 SFS:(13230022)(4636009)(346002)(396003)(376002)(39860400002)(136003)(451199015)(36840700001)(40470700004)(46966006)(83380400001)(186003)(2616005)(36860700001)(336012)(47076005)(26005)(426003)(82310400005)(2906002)(82740400003)(5660300002)(6916009)(36756003)(316002)(7696005)(41300700001)(86362001)(70586007)(40460700003)(8936002)(40480700001)(70206006)(81166007)(478600001)(8676002)(356005)(44832011)(36900700001);
 DIR:OUT; SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5718
X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
 DBAEUR03FT059.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 
 ba96de97-a8e2-4f74-0031-08dab8309de4
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 TnVh09aKvHs8mKRfHx5AwqXjENy8qHCEVoUvZr57snpBn4fcb+ZJUfUJNrnOyCAYTMm77620WyyqrcmxeYXgaFrrK8L6ydpcx/gQKgyiQX59po8P4BzjRsw5yzcNFyvVydLPinHFK3IRCeDVcmbR3ZUcUKke/OHc+oUoHO8qCaVsXS0Akf8mdYXiilPWtJAIYdM4VRXyxFMW2L0p9dkmSIPsG1PoVC2ouV8cQvhb+4XjfQDqNwFL8AGuwiu9UGVxMxHUCLAsG0m7Nrzt+5oE0JlsZaZxRCinwu8PowPlTE6cV/GUf7xp59qDDxsddDYGNtfplv2GF89iNtCFo8160pM8jaSJZl+lm/DOvpx315LAz/jU3eIMvrxvWN6CAjUoG4KMlx9k0n61EeScPePzJdRBv8gDjndHVwl1MMUwmt8573QproKIwpDYZqd3Y08iqJQ1YsHqQoGPpI/YXg3bFZh087U1XglakjawCGfgth2aRuCt5r1v20yLNPFvMAjILqqAND+FcwLYVdEuDyY0OYs0R8Aq+jcgEdxMrx8cbTBRa7MR/PyzwzvP9+9oIBeORmNLoV0WK6hyFRVIsfbdwUKpZgF+TfKiVjGSCWW/qqInIpQhvlEB10LxhrnBJMhLFNve1DbDbClW2L13RxBNaJVgVdYA+I4goldbGRfWjmhQoT19kdhA2UVGvUXV8SCntbIpm7f/3Mhi6zsCdaW+eXjTCfuhSf9NcOpYTDcwlHN60c7KTKl98hq3lBAV7cwnucQXEgIg6GZQVa+/LbIC/A==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com;
 PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE;
 SFS:(13230022)(4636009)(396003)(346002)(39860400002)(136003)(376002)(451199015)(36840700001)(40470700004)(46966006)(44832011)(2616005)(40460700003)(2906002)(5660300002)(41300700001)(186003)(336012)(36860700001)(478600001)(8936002)(70586007)(70206006)(316002)(6916009)(82310400005)(426003)(47076005)(86362001)(8676002)(83380400001)(26005)(40480700001)(82740400003)(7696005)(36756003)(81166007);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Oct 2022 15:33:46.4703 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 d7faaca8-a27b-49af-d051-08dab830a359
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123];
 Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 DBAEUR03FT059.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB5962
X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, GIT_PATCH_0, KAM_DMARC_NONE, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H2,
 SPF_HELO_NONE, SPF_NONE, TXREP,
 UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Szabolcs Nagy via Libc-alpha
 <libc-alpha@sourceware.org>
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Reply-To: Szabolcs Nagy <szabolcs.nagy@arm.com>
Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org>

The test used scratch_buffer_dupfree incorrectly:

- The passed in size must be <= buf.length.
- Must be called at most once on a buf object since it frees it.
- After it is called buf.data and buf.length must not be accessed.

All of these were violated, the test happened to work because the
buffer was on the stack, which meant the test copied out-of-bounds
bytes from the stack into a new buffer and then compared those bytes.

Run one test and avoid the issues above.
---
 malloc/tst-scratch_buffer.c | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/malloc/tst-scratch_buffer.c b/malloc/tst-scratch_buffer.c
index 9fcb11ba2c..60a513ccc6 100644
--- a/malloc/tst-scratch_buffer.c
+++ b/malloc/tst-scratch_buffer.c
@@ -155,21 +155,13 @@ do_test (void)
     struct scratch_buffer buf;
     scratch_buffer_init (&buf);
     memset (buf.data, '@', buf.length);
-
-    size_t sizes[] = { 16, buf.length, buf.length + 16 };
-    for (int i = 0; i < array_length (sizes); i++)
-      {
-        /* The extra size is unitialized through realloc.  */
-        size_t l = sizes[i] > buf.length ? sizes[i] : buf.length;
-        void *r = scratch_buffer_dupfree (&buf, l);
-        void *c = xmalloc (l);
-        memset (c, '@', l);
-        TEST_COMPARE_BLOB (r, l, buf.data, l);
-        free (r);
-        free (c);
-      }
-
-    scratch_buffer_free (&buf);
+    size_t l = 16 <= buf.length ? 16 : buf.length;
+    void *r = scratch_buffer_dupfree (&buf, l);
+    void *c = xmalloc (l);
+    memset (c, '@', l);
+    TEST_COMPARE_BLOB (r, l, c, l);
+    free (r);
+    free (c);
   }
   return 0;
 }