[bug #53284] realloc() does not respect __freelist size for small allocations

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #53284] realloc() does not respect __freelist size for small allocations

Kevin Cuzner-2
URL:
  <http://savannah.nongnu.org/bugs/?53284>

                 Summary: realloc() does not respect __freelist size for small
allocations
                 Project: AVR C Runtime Library
            Submitted by: djglaze
            Submitted on: Sun 04 Mar 2018 10:19:44 PM UTC
                Category: Library
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: libc code
                  Status: None
        Percent Complete: 0%
             Assigned to: None
        Originator Email:
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 2.0.0
           Fixed Release: None

    _______________________________________________________

Details:

The realloc() function does not respect the __freelist size when resizing an
allocation down to 0 or 1 bytes.  If this allocation is then deallocated with
free(), a __freelist entry is placed in its slot that can partially overwrite
an adjacent allocation, leading to irrecoverable memory corruption.  The
following code can reproduce the corruption:


// Relevant bytes in heap allocation shown in comments (User storage denoted
with 0xFF)
char * resizedVar = (char*)malloc(6);       // 0x06 0x00 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF
resizedVar = (char*)realloc(resizedVar, 1); // 0x01 0x00 0xFF
char * fixedVar = (char*)malloc(4);         // 0x01 0x00 0xFF 0x04 0x00 0xFF
0xFF 0xFF 0xFF
free(resizedVar);                           // 0x01 0x00 0x00 0x00 0x00 0xFF
0xFF 0xFF 0xFF
                                            //                  ^ Size of
fixedVar overwritten


malloc() handles this issue with a minimum allocation size, so that requested
allocations of 0, 1, or 2 bytes all take the same storage.  The same technique
can be used here to prevent problems, as shown in the attached patch.




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Sun 04 Mar 2018 10:19:44 PM UTC  Name: realloc_small_size.patch  Size:
614B   By: djglaze

<http://savannah.nongnu.org/bugs/download.php?file_id=43463>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?53284>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
AVR-libc-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avr-libc-dev
Reply | Threaded
Open this post in threaded view
|

[bug #53284] realloc() does not respect __freelist size for small allocations

Kevin Cuzner-2
Follow-up Comment #1, bug #53284 (project avr-libc):

This got triggered by nanopb fuzz tests; I'm adding a workaround on my library
side as this would otherwise have potential security implications. It would be
great if this could eventually be fixed on avr-libc side.

I think the suggested patch does not address the case of len == 0, which
should be equivalent to free(ptr). I've attached a patch that handles that
also.

(file #48143)
    _______________________________________________________

Additional Item Attachment:

File name: avr-libc-realloc-small-len-values.patch Size:0 KB
   
<https://savannah.nongnu.org/file/avr-libc-realloc-small-len-values.patch?file_id=48143>



    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?53284>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


Reply | Threaded
Open this post in threaded view
|

[bug #53284] realloc() does not respect __freelist size for small allocations

Kevin Cuzner-2
Follow-up Comment #2, bug #53284 (project avr-libc):

Related other bugs: #40535, #32702

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?53284>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/