lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Feb 2022 17:02:57 -0800 From: Josh Poimboeuf <jpoimboe@...hat.com> To: Kees Cook <keescook@...omium.org> Cc: Valdis Klētnieks <valdis.kletnieks@...edu>, Justin Forbes <jmforbes@...uxtx.org>, Arnaldo Carvalho de Melo <acme@...hat.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH] tools: Fix use-after-free for realloc(..., 0) On Sat, Feb 12, 2022 at 10:18:55AM -0800, Kees Cook wrote: > static inline void *xrealloc(void *ptr, size_t size) > { > - void *ret = realloc(ptr, size); > - if (!ret && !size) > - ret = realloc(ptr, 1); > + void *ret; > + > + /* > + * Convert a zero-sized allocation into 1 byte, since > + * realloc(ptr, 0) means free(ptr), but we don't want > + * to release the memory. For a new allocation (when > + * ptr == NULL), avoid triggering NULL-checking error > + * conditions for zero-sized allocations. > + */ > + if (!size) > + size = 1; > + ret = realloc(ptr, size); > if (!ret) { > - ret = realloc(ptr, size); > - if (!ret && !size) > - ret = realloc(ptr, 1); > - if (!ret) > - die("Out of memory, realloc failed"); > + /* > + * If realloc() fails, the original block is left untouched; > + * it is not freed or moved. > + */ > + die("Out of memory, realloc failed"); xrealloc() only has two uses -- both via ALLOC_GROW() -- and they don't rely on the 'size == 0' freeing anyway. How about simplifying this further to just: ret = realloc(ptr, size); if (!ret) die("Out of memory, realloc failed"); Much easier to grok, and as a bonus, we don't need the long comments :-) -- Josh
Powered by blists - more mailing lists