-
-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undefined behaviour in get_large_size_class() #133
Comments
That needs to be fixed. It doesn't appear that it could actually cause a problem in practice but the code should be clean of undefined behavior for well-defined usage of the API.
This is avoidable, but the caller has already done something that is going to end up being considered undefined when this API is standardized in the C standard, which is likely going to be happening. So we can avoid doing anything more undefined, but simply the fact that the caller has done this will be considered undefined in the future. |
i.e. passing an invalid pointer and/or expected size to |
This should be resolved by 29b0964. |
You're welcome. |
Interestingly, GCC and Clang handle the undefined behavior for the 1st case differently. Since this can cause an incorrect out-of-memory error to be reported for Clang in that kind of edge case (unlikely to be used in the real world, but still valid), it's probably worth tagging a new release for it. |
As mentioned there, I'm opening this issue to discuss another finding I investigated following static code analysis of hardened_malloc.
If we can reach the following definition in
get_large_size_class()
with0 < size < 5
, we trigger either an undefined behaviour (call to__builtin_clzl(0)
) or an underflow ofspacing_shift
:Then, in the underflow case and on the next line,
spacing_shift
would be greater than the width of the left operand, which is an undefined behaviour in C:I've been able to hit this via two different paths, with
SLAB_CANARY
set to false:alloc_aligned()
, for instance from a call toh_aligned_alloc(8192, 2)
;h_free_sized(p, expected_size)
called with0 < expected_size < 5
andp
pointing outside the slab region.The text was updated successfully, but these errors were encountered: