mailing list of musl libc
 help / color / mirror / Atom feed
From: Rich Felker <dalias@libc.org>
To: Benedict <hymeng90@126.com>
Cc: musl <musl@lists.openwall.com>
Subject: Re: [musl] realloc buffer overflow issue
Date: Sun, 28 Feb 2021 11:48:40 -0500
Message-ID: <20210228164839.GE32655@brightrain.aerifal.cx> (raw)
In-Reply-To: <32f125fa.2032.177e95996dd.Coremail.hymeng90@126.com>

On Sun, Feb 28, 2021 at 11:54:58PM +0800, Benedict wrote:
> I found an memory leak issue in my multi-thread, which had fixed issue by the following patch
> 
> 
> 
> https://git.musl-libc.org/cgit/musl/commit/src/malloc?id=3e16313f8fe2ed143ae0267fd79d63014c24779f
> 
> 
> 
> 
> 
> 
> about this patch, I think it involved a bug for realloc function:
> when the request size 'n' (the second paramter passed to realloc)
> lesser than the original memory size 'n0' (the memory block that
> first paramter of realloc pointed to) and the next chunk of 'self '
> is in used state, the realloc should call trim(self, n) to split
> current chunk rather than call malloc, that will cause memcpy buffer
> overflow due to 'n < n0', and it will cause next malloc crash...
> 
> 
> after fix, I think it should be like:
> lock(mal.split_merge_lock);
> 
> 
> size_t nsize = next->csize & C_INUSE ? 0 : CHUNK_SIZE(next);
> if (nsize)) {
> int i = bin_index(nsize);
> lock_bin(i);
> if (!(next->csize & C_INUSE)) {
> unbin(next, i);
> next = NEXT_CHUNK(next);
> self->csize = next->psize = n0+nsize | C_INUSE;
> }
> unlock_bin(i);
> }
>     
>     if(CHUNK_SIZE(self) >= n) {
>         trim(self, n);
>         unlock(mal.split_merge_lock);
> return CHUNK_TO_MEM(self);
>     }
> unlock(mal.split_merge_lock);
> 
> 
> copy_realloc:
> /* As a last resort, allocate a new chunk and copy to it. */
> new = malloc(n-OVERHEAD);
> if (!new) return 0;
> copy_free_ret:
> memcpy(new, p, n0-OVERHEAD);
> free(CHUNK_TO_MEM(self));
> return new;

I haven't looked in detail yet but isn't this the same bug fixed a
week after it was introduced with commits
cb5babdc8d624a3e3e7bea0b4e28a677a2f2fc46 and
fca7428c096066482d8c3f52450810288e27515c ?

Rich

      reply	other threads:[~2021-02-28 16:48 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-28 15:54 Benedict
2021-02-28 16:48 ` Rich Felker [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210228164839.GE32655@brightrain.aerifal.cx \
    --to=dalias@libc.org \
    --cc=hymeng90@126.com \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

mailing list of musl libc

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/musl

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 musl musl/ http://inbox.vuxu.org/musl \
		musl@inbox.vuxu.org
	public-inbox-index musl

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.musl


code repositories for the project(s) associated with this inbox:

	https://git.vuxu.org/mirror/musl/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git