diff options
| author | Florian Weimer <fw@deneb.enyo.de> | 2018-12-31 22:04:36 +0100 |
|---|---|---|
| committer | Florian Weimer <fw@deneb.enyo.de> | 2019-01-01 10:46:55 +0100 |
| commit | 8f83d095fabf9e3e9e23023a010e50a21810d918 (patch) | |
| tree | f4f44a126e0d8e3a8daa7c4ed667cd64d5b9fe8a | |
| parent | 69b914a99e24da875f9f4f2449ec9a6126ac3bc2 (diff) | |
| download | glibc-8f83d095fabf9e3e9e23023a010e50a21810d918.tar.gz glibc-8f83d095fabf9e3e9e23023a010e50a21810d918.tar.xz glibc-8f83d095fabf9e3e9e23023a010e50a21810d918.zip | |
malloc: Always call memcpy in _int_realloc [BZ #24027]
This commit removes the custom memcpy implementation from _int_realloc for small chunk sizes. The ncopies variable has the wrong type, and an integer wraparound could cause the existing code to copy too few elements (leaving the new memory region mostly uninitialized). Therefore, removing this code fixes bug 24027. (cherry picked from commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84)
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | malloc/malloc.c | 43 |
3 files changed, 9 insertions, 42 deletions
diff --git a/ChangeLog b/ChangeLog index c7a04d8717..ec7dcc67b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2018-12-31 Florian Weimer <fw@deneb.enyo.de> + + [BZ #24027] + * malloc/malloc.c (_int_realloc): Always call memcpy for the + copying operation. (ncopies had the wrong type, resulting in an + integer wraparound and too few elements being copied.) + 2018-12-28 Aurelien Jarno <aurelien@aurel32.net> * sysdeps/alpha/fpu/libm-test-ulps: Regenerated. diff --git a/NEWS b/NEWS index 05f7342fcb..d350d4666a 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,7 @@ The following bugs are resolved with this release: [23822] ia64 static libm.a is missing exp2f, log2f and powf symbols [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591) [23972] __old_getdents64 uses wrong d_off value on overflow + [24027] malloc: Integer overflow in realloc Security related changes: diff --git a/malloc/malloc.c b/malloc/malloc.c index dad0e73735..27cf6137c2 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4544,11 +4544,6 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, mchunkptr bck; /* misc temp for linking */ mchunkptr fwd; /* misc temp for linking */ - unsigned long copysize; /* bytes to copy */ - unsigned int ncopies; /* INTERNAL_SIZE_T words to copy */ - INTERNAL_SIZE_T* s; /* copy source */ - INTERNAL_SIZE_T* d; /* copy destination */ - /* oldmem size */ if (__builtin_expect (chunksize_nomask (oldp) <= 2 * SIZE_SZ, 0) || __builtin_expect (oldsize >= av->system_mem, 0)) @@ -4616,43 +4611,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, } else { - /* - Unroll copy of <= 36 bytes (72 if 8byte sizes) - We know that contents have an odd number of - INTERNAL_SIZE_T-sized words; minimally 3. - */ - - copysize = oldsize - SIZE_SZ; - s = (INTERNAL_SIZE_T *) (chunk2mem (oldp)); - d = (INTERNAL_SIZE_T *) (newmem); - ncopies = copysize / sizeof (INTERNAL_SIZE_T); - assert (ncopies >= 3); - - if (ncopies > 9) - memcpy (d, s, copysize); - - else - { - *(d + 0) = *(s + 0); - *(d + 1) = *(s + 1); - *(d + 2) = *(s + 2); - if (ncopies > 4) - { - *(d + 3) = *(s + 3); - *(d + 4) = *(s + 4); - if (ncopies > 6) - { - *(d + 5) = *(s + 5); - *(d + 6) = *(s + 6); - if (ncopies > 8) - { - *(d + 7) = *(s + 7); - *(d + 8) = *(s + 8); - } - } - } - } - + memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ); _int_free (av, oldp, 1); check_inuse_chunk (av, newp); return chunk2mem (newp); |