From patchwork Thu Jan 15 01:32:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 128089 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 38B554BA2E04 for ; Thu, 15 Jan 2026 01:33:04 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 38B554BA2E04 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1768440784; bh=nN28E9nO7+cKeBgeB/aXVwEkNd4wdoyDvDBH2bPdqPo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=LbWahovQOJcd7A3fTsNL2RzBZqpVK8Uvzz2TV3/W9rkf+5pOHjzu9kEZtlpLE9W9V x/qg+h9Z0uKAu1uUMW20NeWj1CR9p2h1WyJw8VDyEUkrliguzgd1O/+/K/ULVC9tS2 WIhRmmI0G6TmkzXJ7xwRV1ZrCMY/RBAMskzkkYw0= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from hamster.birch.relay.mailchannels.net (hamster.birch.relay.mailchannels.net [23.83.209.80]) by sourceware.org (Postfix) with ESMTPS id 6BC5C4BA2E1D for ; Thu, 15 Jan 2026 01:32:27 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6BC5C4BA2E1D Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 6BC5C4BA2E1D Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.209.80 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768440747; cv=pass; b=olwYOTpSz17uMJq0zwLtu+W73vC080YHYRda5LgQ4wwB567xRx3XKtTH0DKTL53Rl7lMSuE5Q94nY3QxcoBkh+IbX6O6IL1CU7oXT2KdZnOHuaom6SwlIxnlbylPniV/Q85aCTkoUS9reg3T9jOHMXbkeyx6aOn0xiRGaA1t8EY= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768440747; c=relaxed/simple; bh=9T7q5hNZJmQEl2E3Pb45kCaZgXse6CitCK5QznY9SCQ=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=urxSsMVb5fv4iTUFDmfgrS/e9BQHziTbRmLBVbJe98I89T+xU5O/Y/WnZae4h7QV9AGkV2562aBZquJA2SCpwl1fqd+nX7phPI+qZxljbF1K2ayUAqhAXMCZa+5xVAxc7U76l4CUGV1Xf+iDeohYI0TJAWjIA1kDu6Ag5QIxwug= ARC-Authentication-Results: i=2; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6BC5C4BA2E1D X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 43A6D161740; Thu, 15 Jan 2026 01:32:26 +0000 (UTC) Received: from pdx1-sub0-mail-a240.dreamhost.com (trex-green-8.trex.outbound.svc.cluster.local [100.110.193.162]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BB1881616AF; Thu, 15 Jan 2026 01:32:25 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1768440745; b=viJ/13t5i8Pw76uW6Q8XWjD1YpF93OEaNymrSn00EDf+/5WedbReciI6n4mqxSipEo8GE9 e+L/xtUB0a2VYkqjIN30rEZ1/VRRYPfun2yfG7bzYc7C9wK2+T01MyD3buLdv83JITb1u9 AATpwTeDDY0atnOyD5vpbdl8SiaFcF+4SFta6IqsZ74268A5G8N8SryzSuoePUtyDUzKpo BbbB+ZnYQ+vZWiL1kaLbqXYCEMLa5fF0xY27k+ps3ynFZblYfc+4s3gD1p/EWQldjI+K/e YoOp1ckZNaLWavaoAE3sa9tlsSMHbbbmy0EIhlq9tbwRBTLJddkmjjv1IFCyHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1768440745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nN28E9nO7+cKeBgeB/aXVwEkNd4wdoyDvDBH2bPdqPo=; b=q1AnAhKNQWlf+uBNBx6gt4wrvfT9+rlACgSIPfRWhhLj1jnyGa6n6IYa4tUFOPqUWl+ey3 jR0FbjOlHV2WyPjUaqRtHrX7B1cjW81SBgfyedIRU9mnS+UtkLsK8SgiEhX3c4bzHhk2it DNDhL69tQCer25S+Z7is0Jqu1pAdws94433j89IqclWGUazEsLkT5IFDTNYdQoh6gUW0To nwCkRrBCTqKfTQQGVjtSKJM2lDKCwAq1GNSsgTL0Vh2Eg343MMeb5/ErfQUY7NgrGsxWKr KoKG/81OQ0wC5UPB6pjKXzZxp6L7RHG+t1UU1VHKroZdm4CdFEzhgYzRf/gEVA== ARC-Authentication-Results: i=1; rspamd-79549fd459-f695t; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Supply-Eight: 7e80812b337d7641_1768440746062_479578910 X-MC-Loop-Signature: 1768440746062:1327059942 X-MC-Ingress-Time: 1768440746062 Received: from pdx1-sub0-mail-a240.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.110.193.162 (trex/7.1.3); Thu, 15 Jan 2026 01:32:26 +0000 Received: from fedora.redhat.com (unknown [38.23.181.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a240.dreamhost.com (Postfix) with ESMTPSA id 4ds57r6fPWz107v; Wed, 14 Jan 2026 17:32:24 -0800 (PST) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: dilfridge@gentoo.org, fweimer@redhat.com, collin.funk1@gmail.com, igor.morgenstern@aisle.com, carlos@redhat.com, adhemerval.zanella@linaro.org Subject: [PATCH v2] memalign: Add alignment overflow check (CVE-2026-0861) Date: Wed, 14 Jan 2026 20:32:18 -0500 Message-ID: <20260115013218.2374506-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260114205849.2814817-1-siddhesh@sourceware.org> References: <20260114205849.2814817-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, LOCAL_AUTHENTICATION_FAIL_DMARC, LOCAL_AUTHENTICATION_FAIL_SPF, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Only _mid_memalign needs the check, since _int_memalign is called only through that path, so add a new check there which is compatible with the new PTRDIFF_MAX bound. Also speed up the power-of-two round up for the alignment while at it. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Signed-off-by: Siddhesh Poyarekar --- Changes from v1: - Use __builtin_add_overflow for overflow check. - Use __builtin_clzl and statically assert that size of size_t is the same as unsigned long. - Use __glibc_unlikely wrappers for the conditions. malloc/malloc.c | 28 ++++++++++++++++++---------- malloc/tst-malloc-too-large.c | 10 ++-------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 20874a5dfe..1cbdac222f 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3585,22 +3585,30 @@ _mid_memalign (size_t alignment, size_t bytes) if (alignment < MINSIZE) alignment = MINSIZE; - /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a - power of 2 and will cause overflow in the check below. */ - if (alignment > SIZE_MAX / 2 + 1) + _Static_assert (sizeof (unsigned long) == sizeof (size_t), + "size_t type does not match in size with unsigned long"); + + /* Round the alignment up to a power of 2. ALIGNMENT is non-zero here. This + basically emulates __builtin_stdc_bit_ceil. Start with 2 to avoid + shifting by the word size. */ + if (!powerof2 (alignment)) + alignment = (size_t) 2 << (sizeof (size_t) * 8 + - __builtin_clzl (alignment - 1) - 1); + + if (__glibc_unlikely (alignment == 0)) { __set_errno (EINVAL); return NULL; } - - /* Make sure alignment is power of 2. */ - if (!powerof2 (alignment)) + ptrdiff_t res __attribute_maybe_unused__; + /* ALIGNMENT is a power of two, so adding MINSIZE won't overflow it. */ + if (__glibc_unlikely (__builtin_add_overflow (bytes, + alignment + MINSIZE, + &res))) { - size_t a = MALLOC_ALIGNMENT * 2; - while (a < alignment) - a <<= 1; - alignment = a; + __set_errno (ENOMEM); + return NULL; } #if USE_TCACHE diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c index 34847067dc..ee231285bf 100644 --- a/malloc/tst-malloc-too-large.c +++ b/malloc/tst-malloc-too-large.c @@ -152,7 +152,6 @@ test_large_allocations (size_t size) } -static long pagesize; /* This function tests the following aligned memory allocation functions using several valid alignments and precedes each allocation test with a @@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size) /* All aligned memory allocation functions expect an alignment that is a power of 2. Given this, we test each of them with every valid - alignment from 1 thru PAGESIZE. */ - for (align = 1; align <= pagesize; align *= 2) + alignment for the type of ALIGN, i.e. until it wraps to 0. */ + for (align = 1; align > 0; align <<= 1) { test_setup (); #if __GNUC_PREREQ (7, 0) @@ -265,11 +264,6 @@ do_test (void) DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); #endif - /* Aligned memory allocation functions need to be tested up to alignment - size equivalent to page size, which should be a power of 2. */ - pagesize = sysconf (_SC_PAGESIZE); - TEST_VERIFY_EXIT (powerof2 (pagesize)); - /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.