From patchwork Thu Jan 15 12:09:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 128121 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 2B8A54BA2E28 for ; Thu, 15 Jan 2026 12:10:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2B8A54BA2E28 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=gotplt.org header.i=@gotplt.org header.a=rsa-sha256 header.s=dreamhost header.b=cmpPSg24 X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from cockroach.ash.relay.mailchannels.net (cockroach.ash.relay.mailchannels.net [23.83.222.37]) by sourceware.org (Postfix) with ESMTPS id 44E4C4BA2E1C for ; Thu, 15 Jan 2026 12:09:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 44E4C4BA2E1C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 44E4C4BA2E1C Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.222.37 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768478980; cv=pass; b=Yjt0jXXlthaIYJrvDhwkGWTrPKt4zkPWNhv8yeZkV6Q+r3JdJT8Z2tz633NjA5dnzUz/hafcMZzQrUpgCyvY+v8/yQk4aGIf4FnHruGRP3Q6dLROxlvV4/ld9SFrvSa6GgDwNKI20NLN8KB0BJhBlYp26iR+wrmXuUa7RzWS5ro= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768478980; c=relaxed/simple; bh=roFn1MlL0wzS3+PAUwcXNzTX+4wATmLuCDDKnQ0dcL8=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=V6KofAU0gD3esgTe+zvFm2ejrKjMYoDETd2nXRy90MgIJrwdWZyYKRnmHlPnC2sW/NiJsqFaBzLdUaQwikWC2aoNAYQ/MoO8u215xBI6MZU6T6GqlwrgHgzsWBQzvmjzmXRnBmtL0QVtkvVj7XL0HD2rJEvftXgZ0BdHUqKz7N0= ARC-Authentication-Results: i=2; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 44E4C4BA2E1C X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 24D3C820CFA; Thu, 15 Jan 2026 12:09:39 +0000 (UTC) Received: from pdx1-sub0-mail-a251.dreamhost.com (100-117-48-27.trex-nlb.outbound.svc.cluster.local [100.117.48.27]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id AB9758216CB; Thu, 15 Jan 2026 12:09:38 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1768478978; b=Rd3IsI0Bc3c6eHORoc62x6QGLlqzsZSx9H5UwBvSykfXgZvBe589bhiYOvykkQtk0EM9n2 NpCnbBNAZWDWEzqKMKSWUlsqxZxEE/Y4mWxiCFV0CvX+AvxOcnKvdK1EEbWhxnhPc8AhTL M7gzxKZD4EwYuE/B5Fl1jyMti1Xzi3Ut0pnFn1IL0FjYtfbbNGlMSK2+RS8zIk5Ay6Td2V CsGAlG1CkFAOOgApm0zZFYpLE2lYJXKs6qeLAc3Tfv9yVnc/MKVHrfTT9lfqA4iBs29fGl z7JicgvnfdG4TsxMWYf+xX144w//6Kwu/dJDud7ubD+pkm3Ze2MuK4wp86T7JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1768478978; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=deZDq9qSCxo5Wd4KVw4J8SXeg7ypX5h6CRgScDca5+Y=; b=tYNcx64RSvVCsInTYAjFsv3z1ubyC085m9vdy7dBlby0Gt+2CccfkjraJW4grFWyPovqdz g1Rf0dRDSHWCA02dBwlpsmFZB+eo8Wiwrtvf7ztvYk3runIf9yArHpvT1j22mLiCxlFCRM oxvGQCEV4baAomACd8u+QozzxAFroceZUCJvTMZmVHfYrkMebXH8AgXvz87uZtfIjs7uzV Fl/R526Qh0NxBFaiOzzTtCPSgme+NsW3/C/nh1qyHxSkAuyFIamQ9SSNfMP47JbDnph5nF 3pFWQ+/obodHuqDC0xO5jqbLsDhxMOq8FpoBfUd2VadNBOpB7d9fOejvrw/alw== ARC-Authentication-Results: i=1; rspamd-84bff5b669-pgsrd; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Spicy-Plucky: 5af2d8114eab0e5d_1768478978945_4019827011 X-MC-Loop-Signature: 1768478978945:2107730063 X-MC-Ingress-Time: 1768478978945 Received: from pdx1-sub0-mail-a251.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.117.48.27 (trex/7.1.3); Thu, 15 Jan 2026 12:09:38 +0000 Received: from fedora.redhat.com (unknown [38.23.181.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a251.dreamhost.com (Postfix) with ESMTPSA id 4dsMH55pcjzyrC; Thu, 15 Jan 2026 04:09:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1768478978; bh=deZDq9qSCxo5Wd4KVw4J8SXeg7ypX5h6CRgScDca5+Y=; h=From:To:Cc:Subject:Date:Content-Transfer-Encoding; b=cmpPSg249GsHKhcAL1PUyGnXvpH7bFxuxryDJOG81nxZfA9FNmH6aCzzyeB6/yaGG EE0on81fi3c/uk8UeCQsciIjRTgk0jrylSNhVQgpcalN2c93X5vO9JXBFhSpSfxbDI 2db4lu2LFKC73yolYsNuTVCm9iIbbGvK2zzNpHwb1Xc5+82/DyFcB0eRKcD4n4TDSV cr8MW77jtnTjMz3H7WTJvzg9yAaY0AHZGfl9Ek8oxDm08XaThAq/mImnG1MHPtCsp9 9JnMWgvL+uywjkLFdtSNSv+b2mrCwOfyZmx2mQ5H8Bf39xSmKezcPXLCfXXQ6aa+8f uZnXY54Ouc2xA== From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: dilfridge@gentoo.org, fweimer@redhat.com, collin.funk1@gmail.com, igor.morgenstern@aisle.com, carlos@redhat.com, adhemerval.zanella@linaro.org Subject: [PATCH v3] memalign: reinstate alignment overflow check (CVE-2026-0861) Date: Thu, 15 Jan 2026 07:09:28 -0500 Message-ID: <20260115120928.1501029-1-siddhesh@gotplt.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260114205849.2814817-1-siddhesh@sourceware.org> References: <20260114205849.2814817-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-3035.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow checks, aligned with the PTRDIFF_MAX change. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Signed-off-by: Siddhesh Poyarekar --- Changes from V2: - Split the powerof2 adjustment out of this change. - Reinstated the _int_memalign overflow check as well. malloc/malloc.c | 24 ++++++++++++++++++++++-- malloc/tst-malloc-too-large.c | 10 ++-------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index 20874a5dfe..2b9faeaa25 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3617,7 +3617,17 @@ _mid_memalign (size_t alignment, size_t bytes) return tag_new_usable (p); } - arena_get (ar_ptr, bytes + alignment + MINSIZE); + ptrdiff_t total; + /* ALIGNMENT is a power of two, so adding MINSIZE won't overflow it. */ + if (__glibc_unlikely (__builtin_add_overflow (bytes, + alignment + MINSIZE, + &total))) + { + __set_errno (ENOMEM); + return NULL; + } + + arena_get (ar_ptr, total); p = _int_memalign (ar_ptr, alignment, bytes); if (!p && ar_ptr != NULL) @@ -4710,8 +4720,18 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) } size_t nb = checked_request2size (bytes); + ptrdiff_t total; + /* ALIGNMENT is a power of two, so adding MINSIZE won't overflow it. */ + if (__glibc_unlikely (__builtin_add_overflow (nb, + alignment + MINSIZE, + &total))) + { + __set_errno (ENOMEM); + return NULL; + } + /* Call malloc with worst case padding to hit alignment. */ - void *m = _int_malloc (av, nb + alignment + MINSIZE); + void *m = _int_malloc (av, total); if (m == NULL) return NULL; diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c index 34847067dc..ee231285bf 100644 --- a/malloc/tst-malloc-too-large.c +++ b/malloc/tst-malloc-too-large.c @@ -152,7 +152,6 @@ test_large_allocations (size_t size) } -static long pagesize; /* This function tests the following aligned memory allocation functions using several valid alignments and precedes each allocation test with a @@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size) /* All aligned memory allocation functions expect an alignment that is a power of 2. Given this, we test each of them with every valid - alignment from 1 thru PAGESIZE. */ - for (align = 1; align <= pagesize; align *= 2) + alignment for the type of ALIGN, i.e. until it wraps to 0. */ + for (align = 1; align > 0; align <<= 1) { test_setup (); #if __GNUC_PREREQ (7, 0) @@ -265,11 +264,6 @@ do_test (void) DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); #endif - /* Aligned memory allocation functions need to be tested up to alignment - size equivalent to page size, which should be a power of 2. */ - pagesize = sysconf (_SC_PAGESIZE); - TEST_VERIFY_EXIT (powerof2 (pagesize)); - /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.