| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220213010257.yllouthdbjzawil2@treble>
Date: Sat, 12 Feb 2022 17:02:57 -0800
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Kees Cook <keescook@...omium.org>
Cc: Valdis Klētnieks <valdis.kletnieks@...edu>,
Justin Forbes <jmforbes@...uxtx.org>,
Arnaldo Carvalho de Melo <acme@...hat.com>,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH] tools: Fix use-after-free for realloc(..., 0)
On Sat, Feb 12, 2022 at 10:18:55AM -0800, Kees Cook wrote:
> static inline void *xrealloc(void *ptr, size_t size)
> {
> - void *ret = realloc(ptr, size);
> - if (!ret && !size)
> - ret = realloc(ptr, 1);
> + void *ret;
> +
> + /*
> + * Convert a zero-sized allocation into 1 byte, since
> + * realloc(ptr, 0) means free(ptr), but we don't want
> + * to release the memory. For a new allocation (when
> + * ptr == NULL), avoid triggering NULL-checking error
> + * conditions for zero-sized allocations.
> + */
> + if (!size)
> + size = 1;
> + ret = realloc(ptr, size);
> if (!ret) {
> - ret = realloc(ptr, size);
> - if (!ret && !size)
> - ret = realloc(ptr, 1);
> - if (!ret)
> - die("Out of memory, realloc failed");
> + /*
> + * If realloc() fails, the original block is left untouched;
> + * it is not freed or moved.
> + */
> + die("Out of memory, realloc failed");
xrealloc() only has two uses -- both via ALLOC_GROW() -- and they don't
rely on the 'size == 0' freeing anyway. How about simplifying this
further to just:
ret = realloc(ptr, size);
if (!ret)
die("Out of memory, realloc failed");
Much easier to grok, and as a bonus, we don't need the long comments :-)
--
Josh
Powered by blists - more mailing lists