[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] unwind_prot.c: Avoid buffer overflow
From: |
Jessica Clarke |
Subject: |
[PATCH] unwind_prot.c: Avoid buffer overflow |
Date: |
Sat, 27 Jun 2020 22:14:38 +0100 |
In unwind_protect_mem_internal, we must make sure to allocate at least a
full UNWIND_ELT, even if the required size for desired_setting is less
than the remaining padding in UNWIND_ELT. Otherwise when we come to
memset it with 0xdf in unwind_frame_discard_internal we will overflow
the allocation.
On existing 32-bit and 64-bit architectures, this padding happens to be
only 4 bytes, and no users of this function call it with a size smaller
than 4 (unwind_protect_short and unwind_protect_string are both
currently unused). However, we should not rely on this as this could
change in future. Moreover on CHERI-RISC-V, pointers are replaced with
capabilities, 16-byte fat pointers, and the padding now ends up being 12
bytes, violating this assumption, but also trapping on this detected
buffer overflow by virtue of its fine-grained bounds.
---
unwind_prot.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/unwind_prot.c b/unwind_prot.c
index c9196dc1..37429924 100644
--- a/unwind_prot.c
+++ b/unwind_prot.c
@@ -349,6 +349,8 @@ unwind_protect_mem_internal (var, psize)
size = *(int *) psize;
allocated = size + offsetof (UNWIND_ELT, sv.v.desired_setting[0]);
+ if (allocated < sizeof (UNWIND_ELT))
+ allocated = sizeof (UNWIND_ELT);
elt = (UNWIND_ELT *)xmalloc (allocated);
elt->head.next = unwind_protect_list;
elt->head.cleanup = (Function *) restore_variable;
--
2.20.1
- [PATCH] unwind_prot.c: Avoid buffer overflow,
Jessica Clarke <=