[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] malloc: fix out-of-bounds read
From: |
Collin Funk |
Subject: |
[PATCH] malloc: fix out-of-bounds read |
Date: |
Thu, 18 Jul 2024 22:06:16 -0700 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Hi,
In lib/malloc/malloc.c there is a read that occurs 1 or 2 indexes before
the first element in the buffer. The issue is this macro:
/* Use this when we want to be sure that NB is in bucket NU. */
#define RIGHT_BUCKET(nb, nu) \
(((nb) > binsizes[(nu)-1]) && ((nb) <= binsizes[(nu)]))
Where 'binsizes' is an array like this:
static const unsigned long binsizes[NBUCKETS] = {
32UL, 64UL, 128UL, 256UL, 512UL, 1024UL, 2048UL, 4096UL,
... };
The out-of-bounds read occurs in a line like this:
/* If ok, use the same block, just marking its size as changed. */
if (RIGHT_BUCKET(nbytes, nunits) || RIGHT_BUCKET(nbytes, nunits-1))
{
...
}
Where 'nunits' isn't properly checked. This can easily be seen by
-fsanitize=undefined when running make check:
< malloc.c:1205:7: runtime error: index -1 out of bounds for type 'long
unsigned int [28]'
< malloc.c:1205:39: runtime error: index -2 out of bounds for type 'long
unsigned int [28]'
< malloc.c:1205:39: runtime error: index -1 out of bounds for type 'long
unsigned int [28]'
I've attached a patch that silences ubsan atleast. I didn't look into
the surrounding code much so a double check would be nice. :)
Collin
0001-malloc-fix-out-of-bounds-read.patch
Description: Text Data
- [PATCH] malloc: fix out-of-bounds read,
Collin Funk <=