From: Rich Felker Date: Wed, 24 Jul 2013 03:18:49 +0000 (-0400) Subject: fix heap corruption bug in memalign X-Git-Tag: v0.9.12~37 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=70a92bc968156155dd578f7fb1d4c4e3fceb32f8;p=musl fix heap corruption bug in memalign this bug was caught by the new footer-corruption check in realloc and free. if the block returned by malloc was already aligned to the desired alignment, memalign's logic to split off the misaligned head was incorrect; rather than writing to a point inside the allocated block, it was overwriting the footer of the previous block on the heap with the value 1 (length 0 plus an in-use flag). fortunately, the impact of this bug was fairly low. (this is probably why it was not caught sooner.) due to the way the heap works, malloc will never return a block whose previous block is free. (doing so would be harmful because it would increase fragmentation with no benefit.) the footer is actually not needed for in-use blocks, except that its in-use bit needs to remain set so that it does not get merged with free blocks, so there was no harm in it being set to 1 instead of the correct value. however, there is one case where this bug could have had an impact: in multi-threaded programs, if another thread freed the previous block after memalign's call to malloc returned, but before memalign overwrote the previous block's footer, the resulting block in the free list could be left in a corrupt state. I have not analyzed the impact of this bad state and whether it could lead to more serious malfunction. --- diff --git a/src/malloc/memalign.c b/src/malloc/memalign.c index 55fe68e8..cb232476 100644 --- a/src/malloc/memalign.c +++ b/src/malloc/memalign.c @@ -31,8 +31,10 @@ void *__memalign(size_t align, size_t len) if (!(mem = malloc(len + align-1))) return NULL; - header = ((size_t *)mem)[-1]; new = (void *)((uintptr_t)mem + align-1 & -align); + if (new == mem) return mem; + + header = ((size_t *)mem)[-1]; if (!(header & 7)) { ((size_t *)new)[-2] = ((size_t *)mem)[-2] + (new-mem);