mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-22 21:10:07 +00:00
9bf8e29ca1
As discussed previously on libc-alpha [1], this patch follows up the idea and add both the __attribute_alloc_size__ on malloc functions (malloc, calloc, realloc, reallocarray, valloc, pvalloc, and memalign) and limit maximum requested allocation size to up PTRDIFF_MAX (taking into consideration internal padding and alignment). This aligns glibc with gcc expected size defined by default warning -Walloc-size-larger-than value which warns for allocation larger than PTRDIFF_MAX. It also aligns with gcc expectation regarding libc and expected size, such as described in PR#67999 [2] and previously discussed ISO C11 issues [3] on libc-alpha. From the RFC thread [4] and previous discussion, it seems that consensus is only to limit such requested size for malloc functions, not the system allocation one (mmap, sbrk, etc.). The implementation changes checked_request2size to check for both overflow and maximum object size up to PTRDIFF_MAX. No additional checks are done on sysmalloc, so it can still issue mmap with values larger than PTRDIFF_T depending on the requested size. The __attribute_alloc_size__ is for functions that return a pointer only, which means it cannot be applied to posix_memalign (see remarks in GCC PR#87683 [5]). The runtimes checks to limit maximum requested allocation size does applies to posix_memalign. Checked on x86_64-linux-gnu and i686-linux-gnu. [1] https://sourceware.org/ml/libc-alpha/2018-11/msg00223.html [2] https://gcc.gnu.org/bugzilla//show_bug.cgi?id=67999 [3] https://sourceware.org/ml/libc-alpha/2011-12/msg00066.html [4] https://sourceware.org/ml/libc-alpha/2018-11/msg00224.html [5] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87683 [BZ #23741] * malloc/hooks.c (malloc_check, realloc_check): Use __builtin_add_overflow on overflow check and adapt to checked_request2size change. * malloc/malloc.c (__libc_malloc, __libc_realloc, _mid_memalign, __libc_pvalloc, __libc_calloc, _int_memalign): Limit maximum allocation size to PTRDIFF_MAX. (REQUEST_OUT_OF_RANGE): Remove macro. (checked_request2size): Change to inline function and limit maximum requested size to PTRDIFF_MAX. (__libc_malloc, __libc_realloc, _int_malloc, _int_memalign): Limit maximum allocation size to PTRDIFF_MAX. (_mid_memalign): Use _int_memalign call for overflow check. (__libc_pvalloc): Use __builtin_add_overflow on overflow check. (__libc_calloc): Use __builtin_mul_overflow for overflow check and limit maximum requested size to PTRDIFF_MAX. * malloc/malloc.h (malloc, calloc, realloc, reallocarray, memalign, valloc, pvalloc): Add __attribute_alloc_size__. * stdlib/stdlib.h (malloc, realloc, reallocarray, valloc): Likewise. * malloc/tst-malloc-too-large.c (do_test): Add check for allocation larger than PTRDIFF_MAX. * malloc/tst-memalign.c (do_test): Disable -Walloc-size-larger-than= around tests of malloc with negative sizes. * malloc/tst-posix_memalign.c (do_test): Likewise. * malloc/tst-pvalloc.c (do_test): Likewise. * malloc/tst-valloc.c (do_test): Likewise. * malloc/tst-reallocarray.c (do_test): Replace call to reallocarray with resulting size allocation larger than PTRDIFF_MAX with reallocarray_nowarn. (reallocarray_nowarn): New function. * NEWS: Mention the malloc function semantic change.
136 lines
3.1 KiB
C
136 lines
3.1 KiB
C
/* Test for reallocarray.
|
|
Copyright (C) 2017-2019 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<http://www.gnu.org/licenses/>. */
|
|
|
|
#include <errno.h>
|
|
#include <malloc.h>
|
|
#include <string.h>
|
|
#include <support/check.h>
|
|
#include <libc-diag.h>
|
|
|
|
static void *
|
|
reallocarray_nowarn (void *ptr, size_t nmemb, size_t size)
|
|
{
|
|
#if __GNUC_PREREQ (7, 0)
|
|
/* GCC 7 warns about too-large allocations; here we want to test
|
|
that they fail. */
|
|
DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
|
|
#endif
|
|
void *ret = reallocarray (ptr, nmemb, size);
|
|
#if __GNUC_PREREQ (7, 0)
|
|
DIAG_POP_NEEDS_COMMENT;
|
|
#endif
|
|
return ret;
|
|
}
|
|
|
|
|
|
static int
|
|
do_test (void)
|
|
{
|
|
void *ptr = NULL;
|
|
void *ptr2 = NULL;
|
|
unsigned char *c;
|
|
size_t i;
|
|
int ok;
|
|
const size_t max = ~(size_t)0;
|
|
size_t a, b;
|
|
|
|
/* Test overflow detection. */
|
|
errno = 0;
|
|
ptr = reallocarray_nowarn (NULL, max, 2);
|
|
TEST_VERIFY (!ptr);
|
|
TEST_VERIFY (errno == ENOMEM);
|
|
|
|
errno = 0;
|
|
ptr = reallocarray_nowarn (NULL, 2, max);
|
|
TEST_VERIFY (!ptr);
|
|
TEST_VERIFY (errno == ENOMEM);
|
|
|
|
a = 65537;
|
|
b = max/65537 + 1;
|
|
errno = 0;
|
|
ptr = reallocarray_nowarn (NULL, a, b);
|
|
TEST_VERIFY (!ptr);
|
|
TEST_VERIFY (errno == ENOMEM);
|
|
|
|
errno = 0;
|
|
ptr = reallocarray_nowarn (NULL, b, a);
|
|
TEST_VERIFY (!ptr);
|
|
TEST_VERIFY (errno == ENOMEM);
|
|
|
|
/* Test realloc-like behavior. */
|
|
/* Allocate memory like malloc. */
|
|
ptr = reallocarray (NULL, 10, 2);
|
|
TEST_VERIFY_EXIT (ptr);
|
|
TEST_VERIFY_EXIT (malloc_usable_size (ptr) >= 10*2);
|
|
|
|
memset (ptr, 0xAF, 10*2);
|
|
|
|
/* Enlarge buffer. */
|
|
ptr2 = reallocarray (ptr, 20, 2);
|
|
TEST_VERIFY (ptr2);
|
|
if (ptr2)
|
|
ptr = ptr2;
|
|
TEST_VERIFY (malloc_usable_size (ptr) >= 20*2);
|
|
|
|
c = ptr;
|
|
ok = 1;
|
|
for (i = 0; i < 10*2; ++i)
|
|
{
|
|
if (c[i] != 0xAF)
|
|
ok = 0;
|
|
}
|
|
TEST_VERIFY (ok);
|
|
|
|
/* Decrease buffer size. */
|
|
ptr2 = reallocarray (ptr, 5, 3);
|
|
TEST_VERIFY (ptr2);
|
|
if (ptr2)
|
|
ptr = ptr2;
|
|
TEST_VERIFY_EXIT (malloc_usable_size (ptr) >= 5*3);
|
|
|
|
c = ptr;
|
|
ok = 1;
|
|
for (i = 0; i < 5*3; ++i)
|
|
{
|
|
if (c[i] != 0xAF)
|
|
ok = 0;
|
|
}
|
|
TEST_VERIFY (ok);
|
|
|
|
/* Overflow should leave buffer untouched. */
|
|
errno = 0;
|
|
ptr2 = reallocarray_nowarn (ptr, 2, ~(size_t)0);
|
|
TEST_VERIFY (!ptr2);
|
|
TEST_VERIFY (errno == ENOMEM);
|
|
|
|
c = ptr;
|
|
ok = 1;
|
|
for (i = 0; i < 5*3; ++i)
|
|
{
|
|
if (c[i] != 0xAF)
|
|
ok = 0;
|
|
}
|
|
TEST_VERIFY (ok);
|
|
|
|
free (ptr);
|
|
|
|
return 0;
|
|
}
|
|
|
|
#include <support/test-driver.c>
|