David Glaze
2018-03-04 22:19:45 UTC
URL:
<http://savannah.nongnu.org/bugs/?53284>
Summary: realloc() does not respect __freelist size for small
allocations
Project: AVR C Runtime Library
Submitted by: djglaze
Submitted on: Sun 04 Mar 2018 10:19:44 PM UTC
Category: Library
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: libc code
Status: None
Percent Complete: 0%
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 2.0.0
Fixed Release: None
_______________________________________________________
Details:
The realloc() function does not respect the __freelist size when resizing an
allocation down to 0 or 1 bytes. If this allocation is then deallocated with
free(), a __freelist entry is placed in its slot that can partially overwrite
an adjacent allocation, leading to irrecoverable memory corruption. The
following code can reproduce the corruption:
// Relevant bytes in heap allocation shown in comments (User storage denoted
with 0xFF)
char * resizedVar = (char*)malloc(6); // 0x06 0x00 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF
resizedVar = (char*)realloc(resizedVar, 1); // 0x01 0x00 0xFF
char * fixedVar = (char*)malloc(4); // 0x01 0x00 0xFF 0x04 0x00 0xFF
0xFF 0xFF 0xFF
free(resizedVar); // 0x01 0x00 0x00 0x00 0x00 0xFF
0xFF 0xFF 0xFF
// ^ Size of
fixedVar overwritten
malloc() handles this issue with a minimum allocation size, so that requested
allocations of 0, 1, or 2 bytes all take the same storage. The same technique
can be used here to prevent problems, as shown in the attached patch.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sun 04 Mar 2018 10:19:44 PM UTC Name: realloc_small_size.patch Size:
614B By: djglaze
<http://savannah.nongnu.org/bugs/download.php?file_id=43463>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?53284>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
<http://savannah.nongnu.org/bugs/?53284>
Summary: realloc() does not respect __freelist size for small
allocations
Project: AVR C Runtime Library
Submitted by: djglaze
Submitted on: Sun 04 Mar 2018 10:19:44 PM UTC
Category: Library
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: libc code
Status: None
Percent Complete: 0%
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 2.0.0
Fixed Release: None
_______________________________________________________
Details:
The realloc() function does not respect the __freelist size when resizing an
allocation down to 0 or 1 bytes. If this allocation is then deallocated with
free(), a __freelist entry is placed in its slot that can partially overwrite
an adjacent allocation, leading to irrecoverable memory corruption. The
following code can reproduce the corruption:
// Relevant bytes in heap allocation shown in comments (User storage denoted
with 0xFF)
char * resizedVar = (char*)malloc(6); // 0x06 0x00 0xFF 0xFF 0xFF 0xFF
0xFF 0xFF
resizedVar = (char*)realloc(resizedVar, 1); // 0x01 0x00 0xFF
char * fixedVar = (char*)malloc(4); // 0x01 0x00 0xFF 0x04 0x00 0xFF
0xFF 0xFF 0xFF
free(resizedVar); // 0x01 0x00 0x00 0x00 0x00 0xFF
0xFF 0xFF 0xFF
// ^ Size of
fixedVar overwritten
malloc() handles this issue with a minimum allocation size, so that requested
allocations of 0, 1, or 2 bytes all take the same storage. The same technique
can be used here to prevent problems, as shown in the attached patch.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sun 04 Mar 2018 10:19:44 PM UTC Name: realloc_small_size.patch Size:
614B By: djglaze
<http://savannah.nongnu.org/bugs/download.php?file_id=43463>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?53284>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/