From patchwork Wed Jan 14 20:58:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 128083 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 79BA74BA2E04 for ; Wed, 14 Jan 2026 20:59:39 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 79BA74BA2E04 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1768424379; bh=maYQrYndKyDSM8g6Z2G81pj9Mve8VKWMDSBxJCClvHk=; h=From:To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From; b=F4mzz/kh/Vb4zCWyyhWtF/9sErr7qLJYVRea5UC9suxZtQkE7vCXXRHjpnpxEaU8B b04ZPpWZT+Ekz8Im8B6l12wAEgeIw1/8H3LtrEYuzHvQryY7do4ye+32CvwLCnNW70 BKyrHFoHK8EmU7JN6b/D16TFLXVqKOBwG2kXFGj0= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from zebra.cherry.relay.mailchannels.net (zebra.cherry.relay.mailchannels.net [23.83.223.195]) by sourceware.org (Postfix) with ESMTPS id 7B3464BA2E1E for ; Wed, 14 Jan 2026 20:59:07 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7B3464BA2E1E Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7B3464BA2E1E Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.223.195 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768424347; cv=pass; b=kzbLao/680mn+qIJ7XqdkB8cpldX7wvo5jqQ4c+9fvpEtN15WvbxAuRctDqvqP9ESjRnBtbFOQq2zp/reV4AZQL8eMnKDqOrWCJVN+ye1QxPQar1Xk/yzgsofvaVd0EcWgWb4+MWEUEjhF/pP38M1GDBHV22boFgc8zZ0gCCkxg= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768424347; c=relaxed/simple; bh=ImK2Fd6LZmPj+TnH6ipObRSL4iiBShAwbFGpsY4v+8Y=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=cNvs9Dk7uhAegYJCVaNWQn/KVcYGTDDr/dWZCeirXuGzd1hadvbqckGedIfamtjy4HGZoWaWqxGuE9aqho42CLp3wM0lNKnP1/qDOQJtUBO2EPaDjmKaPBm8avHLkygQ2iF87ZJ8VpLqreNIkqwSYP5RNgVkoHrk7PgCQuBjtZ8= ARC-Authentication-Results: i=2; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7B3464BA2E1E X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A217E581870; Wed, 14 Jan 2026 20:59:06 +0000 (UTC) Received: from pdx1-sub0-mail-a245.dreamhost.com (trex-green-4.trex.outbound.svc.cluster.local [100.110.198.35]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 452C65817ED; Wed, 14 Jan 2026 20:59:06 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1768424346; b=Eb2T/phf6WrwLlFvS25tO8LEU5Rl+9fHM2ut2tav2tuIPWSe1vp0Ab0cJaByMF0z6LANpk PhKy6NPlIiT5IC4ZnCc0zb5UfGz1v+sgcjdaVO2vUyx8MiFNOB5wq59SDjx6UKR/kpb1Fb cGXKEMDgI0mQXyfMoaG0x09nr9AumBlbukUTYI4hbBhMj7DbnjjzmXPRF3o5wEgS2Ox//E DjXgPy5UZ8BPnhfZKA1u/EVjA/bLzw6a6rLi2v9GAYhPDbBhGFozfSadF9JDfT1CNi9dNO iTjZaeXGQY50v7mW3fR3GvCyZOEQBXFRmn10gnKQr+uEqngZ0C5004BxcFpFSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1768424346; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=maYQrYndKyDSM8g6Z2G81pj9Mve8VKWMDSBxJCClvHk=; b=HjX5xuRyQBvZC2Ar9UNpbnGujwTpjZVcBagabgTdA/vNUFeryYF98MIG4CnGlYa0vm5lfT edzULwXXwF0rkayOMp4GqW1PNyJKdAKB5Q2qwvUlIysFk3c+5QhRcFTEKEOqzRjQvQRYjZ M83TzOEm1FwGtoG0aUAX2scB9ul0JzBu65HmGAyxzm6TZlpEp4/QrdIoxusiU/ttJ1kbn3 O3nt/jCXFJnX+5rcKzOws3VbxdJEvm6wOvYq0yojyYpfXJIOPzvXh9+rp8OMNGX/4UQ4A6 lyiSLwMSOz48Qr8jo+b8JJLUJFNnK9lK1rOxpt+4fyI3kQ7R+LB3irJnSeM3kg== ARC-Authentication-Results: i=1; rspamd-79549fd459-dg59f; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Celery-Arch: 0b799e1d13aef7e8_1768424346524_3935756615 X-MC-Loop-Signature: 1768424346524:2404345209 X-MC-Ingress-Time: 1768424346523 Received: from pdx1-sub0-mail-a245.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.110.198.35 (trex/7.1.3); Wed, 14 Jan 2026 20:59:06 +0000 Received: from fedora.redhat.com (unknown [38.23.181.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a245.dreamhost.com (Postfix) with ESMTPSA id 4drz4T4YyRz105b; Wed, 14 Jan 2026 12:59:05 -0800 (PST) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: dilfridge@gentoo.org, igor.morgenstern@aisle.com, carlos@redhat.com, adhemerval.zanella@linaro.org Subject: [PATCH] memalign: Add alignment overflow check (CVE-2026-0861) Date: Wed, 14 Jan 2026 15:58:49 -0500 Message-ID: <20260114205849.2814817-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, LOCAL_AUTHENTICATION_FAIL_DMARC, LOCAL_AUTHENTICATION_FAIL_SPF, RCVD_IN_DNSWL_NONE, RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Only _mid_memalign needs the check, since _int_memalign is called only through that path, so add a new check there which is compatible with the new PTRDIFF_MAX bound. Also speed up the power-of-two round up for the alignment while at it. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Signed-off-by: Siddhesh Poyarekar --- malloc/malloc.c | 23 +++++++++++++---------- malloc/tst-malloc-too-large.c | 10 ++-------- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 20874a5dfe..b21bc7382b 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3585,22 +3585,25 @@ _mid_memalign (size_t alignment, size_t bytes) if (alignment < MINSIZE) alignment = MINSIZE; - /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a - power of 2 and will cause overflow in the check below. */ - if (alignment > SIZE_MAX / 2 + 1) + /* Round the alignment up to a power of 2. ALIGNMENT is non-zero here. This + basically emulates __builtin_stdc_bit_ceil. */ + if (!powerof2 (alignment)) + alignment = (size_t) 2 << (sizeof (uint64_t) * 8 + - __builtin_clzll ((uint64_t) alignment - 1) + - 1); + + if (alignment == 0) { __set_errno (EINVAL); return NULL; } - - /* Make sure alignment is power of 2. */ - if (!powerof2 (alignment)) + /* ALIGNMENT is a power of two, so adding MINSIZE won't overflow. */ + if (alignment + MINSIZE > (size_t) PTRDIFF_MAX + || bytes > (size_t) PTRDIFF_MAX - alignment - MINSIZE) { - size_t a = MALLOC_ALIGNMENT * 2; - while (a < alignment) - a <<= 1; - alignment = a; + __set_errno (ENOMEM); + return NULL; } #if USE_TCACHE diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c index 34847067dc..ee231285bf 100644 --- a/malloc/tst-malloc-too-large.c +++ b/malloc/tst-malloc-too-large.c @@ -152,7 +152,6 @@ test_large_allocations (size_t size) } -static long pagesize; /* This function tests the following aligned memory allocation functions using several valid alignments and precedes each allocation test with a @@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size) /* All aligned memory allocation functions expect an alignment that is a power of 2. Given this, we test each of them with every valid - alignment from 1 thru PAGESIZE. */ - for (align = 1; align <= pagesize; align *= 2) + alignment for the type of ALIGN, i.e. until it wraps to 0. */ + for (align = 1; align > 0; align <<= 1) { test_setup (); #if __GNUC_PREREQ (7, 0) @@ -265,11 +264,6 @@ do_test (void) DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); #endif - /* Aligned memory allocation functions need to be tested up to alignment - size equivalent to page size, which should be a power of 2. */ - pagesize = sysconf (_SC_PAGESIZE); - TEST_VERIFY_EXIT (powerof2 (pagesize)); - /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.