Re: [PATCH] malloc: fix out-of-bounds read

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] malloc: fix out-of-bounds read

From:	Chet Ramey
Subject:	Re: [PATCH] malloc: fix out-of-bounds read
Date:	Mon, 22 Jul 2024 11:58:28 -0400
User-agent:	Mozilla Thunderbird

On 7/19/24 1:06 AM, Collin Funk wrote:

Hi,

In lib/malloc/malloc.c there is a read that occurs 1 or 2 indexes before
the first element in the buffer. The issue is this macro:


Thanks for the report. This affects calls to realloc with size < 64 bytes.


/* Use this when we want to be sure that NB is in bucket NU. */
#define RIGHT_BUCKET(nb, nu) \
        (((nb) > binsizes[(nu)-1]) && ((nb) <= binsizes[(nu)]))


The right fix here is two-fold: fix the first test here to evaluate to 0
if nu == 0, and change the call in internal_realloc similarly to how your
patch changes it for the nunits - 1 case.


Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

OpenPGP_signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] malloc: fix out-of-bounds read, Collin Funk, 2024/07/19
- Re: [PATCH] malloc: fix out-of-bounds read, Chet Ramey <=
  - Re: [PATCH] malloc: fix out-of-bounds read, Collin Funk, 2024/07/23
    - Re: [PATCH] malloc: fix out-of-bounds read, Chet Ramey, 2024/07/23

Prev by Date: 'wait -n' with and without id arguments
Next by Date: improving '{...}' in bash?
Previous by thread: [PATCH] malloc: fix out-of-bounds read
Next by thread: Re: [PATCH] malloc: fix out-of-bounds read
Index(es):
- Date
- Thread