Potential null pointer dereference in malloc.c if 'A' is cleared

Tue, 29 Dec 2015 12:37:31 -0800 

If the "abort" flag is cleared (malloc_options = "a") wrterror() will
not abort. This diff contains a fix for a recently added validate_junk()
function, it ensures that 'r' is never used if it is NULL.

Index: malloc.c
===================================================================
RCS file: /cvs/src/lib/libc/stdlib/malloc.c,v
retrieving revision 1.177
diff -u -p -r1.177 malloc.c
--- malloc.c    9 Dec 2015 02:45:23 -0000       1.177
+++ malloc.c    29 Dec 2015 19:06:01 -0000
@@ -1225,8 +1225,10 @@ validate_junk(void *p) {
        if (p == NULL)
                return;
        r = find(pool, p);
-       if (r == NULL)
+       if (r == NULL) {
                wrterror("bogus pointer in validate_junk", p);
+               return;
+       }
        REALSIZE(sz, r);
        if (sz > 0 && sz <= MALLOC_MAXCHUNK)
                sz -= mopts.malloc_canaries;


Clearing the "abort" flag will also affect e.g. the "xmalloc" flag. The
documentation says:

        ``xmalloc''.  Rather than return failure, abort(3) the program with
        a diagnostic message on stderr.

But running the following code will not cause malloc() to abort:

        extern char *malloc_options;
        malloc_options = "Xa";
        malloc(0xffffffff);
        printf("not aborted\n");

The documentation says:

        ``Abort''.  malloc(3) will coredump the process, rather than tolerate
        internal inconsistencies or incorrect usage.

malloc(0xffffffff) doesn't seem like incorrect usage, so it's not clear
that toggling this flag will affect xmalloc.

How about this?

Index: malloc.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/malloc.conf.5,v
retrieving revision 1.2
diff -u -p -r1.2 malloc.conf.5
--- malloc.conf.5       9 Dec 2015 14:09:50 -0000       1.2
+++ malloc.conf.5       29 Dec 2015 19:41:19 -0000
@@ -43,6 +43,15 @@ inconsistencies or incorrect usage.
 This is the default and a very handy debugging aid,
 since the core file represents the time of failure,
 rather than when the bogus pointer was used.
+.It Cm a
+.Dq Never Abort .
+Never call 
+.Xr abort 3 ,
+even if
+.Dq xmalloc
+or
+.Dq Junk
+is set.
 .It Cm C
 .Dq Canaries .
 Add canaries at the end of allocations in order to detect


The alternative would be to call abort() immediately after calls to wrterror()
in code related to Junk or xmalloc.

-- 
Michal Mazurek

Reply via email to