From: "René Scharfe" <l.s.r@web.de>
To: Jeff King <peff@peff.net>, git@vger.kernel.org
Cc: Eric Sunshine <sunshine@sunshineco.com>,
Junio C Hamano <gitster@pobox.com>
Subject: Re: [PATCH 04/21] harden REALLOC_ARRAY and xcalloc against size_t overflow
Date: Sat, 20 Feb 2016 22:32:00 +0100 [thread overview]
Message-ID: <56C8DB50.7070606@web.de> (raw)
In-Reply-To: <20160219112200.GD9319@sigill.intra.peff.net>
Am 19.02.2016 um 12:22 schrieb Jeff King:
> REALLOC_ARRAY inherently involves a multiplication which can
> overflow size_t, resulting in a much smaller buffer than we
> think we've allocated. We can easily harden it by using
> st_mult() to check for overflow. Likewise, we can add
> ALLOC_ARRAY to do the same thing for xmalloc calls.
Good idea!
> xcalloc() should already be fine, because it takes the two
> factors separately, assuming the system calloc actually
> checks for overflow. However, before we even hit the system
> calloc(), we do our memory_limit_check, which involves a
> multiplication. Let's check for overflow ourselves so that
> this limit cannot be bypassed.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
> git-compat-util.h | 3 ++-
> wrapper.c | 3 +++
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/git-compat-util.h b/git-compat-util.h
> index 0c65033..55c073d 100644
> --- a/git-compat-util.h
> +++ b/git-compat-util.h
> @@ -779,7 +779,8 @@ extern int odb_pack_keep(char *name, size_t namesz, const unsigned char *sha1);
> extern char *xgetcwd(void);
> extern FILE *fopen_for_writing(const char *path);
>
> -#define REALLOC_ARRAY(x, alloc) (x) = xrealloc((x), (alloc) * sizeof(*(x)))
> +#define ALLOC_ARRAY(x, alloc) (x) = xmalloc(st_mult((alloc), sizeof(*(x))))
> +#define REALLOC_ARRAY(x, alloc) (x) = xrealloc((x), st_mult((alloc), sizeof(*(x))))
st_mult(x, y) calls unsigned_mult_overflows(x, y), which divides by x.
This division can be done at compile time if x is a constant. This can
be guaranteed for all users of the two macros above by reversing the
arguments of st_mult(), so that sizeof comes first. Probably not a big
win, but why not do it if it's that easy?
Or perhaps a macro like this could help here and in other places which
use st_mult with sizeof:
#define SIZEOF_MULT(x, n) st_mult(sizeof(x), (n))
(I'd call it ARRAY_SIZE, but that name is already taken. :)
René
next prev parent reply other threads:[~2016-02-20 21:32 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-15 21:45 [PATCH 0/18] hardening allocations against integer overflow Jeff King
2016-02-15 21:49 ` [PATCH 01/18] add helpers for detecting size_t overflow Jeff King
2016-02-15 21:49 ` [PATCH 02/18] tree-diff: catch integer overflow in combine_diff_path allocation Jeff King
2016-02-15 21:50 ` [PATCH 03/18] harden REALLOC_ARRAY and xcalloc against size_t overflow Jeff King
2016-02-15 21:50 ` [PATCH 04/18] add helpers for allocating flex-array structs Jeff King
2016-02-16 1:47 ` Eric Sunshine
2016-02-16 2:52 ` Jeff King
2016-02-15 21:51 ` [PATCH 05/18] convert trivial cases to ALLOC_ARRAY Jeff King
2016-02-16 4:22 ` Eric Sunshine
2016-02-16 4:23 ` Jeff King
2016-02-16 4:32 ` Eric Sunshine
2016-02-16 5:46 ` Jeff King
2016-02-15 21:52 ` [PATCH 06/18] use xmallocz to avoid size arithmetic Jeff King
2016-02-15 21:52 ` [PATCH 07/18] convert trivial cases to FLEX_ARRAY macros Jeff King
2016-02-16 2:17 ` Eric Sunshine
2016-02-16 3:15 ` Jeff King
2016-02-16 3:26 ` Jeff King
2016-02-16 3:36 ` Jeff King
2016-02-16 4:18 ` Eric Sunshine
2016-02-16 4:22 ` Jeff King
2016-02-16 4:10 ` Eric Sunshine
2016-02-15 21:53 ` [PATCH 08/18] use st_add and st_mult for allocation size computation Jeff King
2016-02-16 5:47 ` Eric Sunshine
2016-02-15 21:53 ` [PATCH 09/18] write_untracked_extension: use FLEX_ALLOC helper Jeff King
2016-02-15 21:54 ` [PATCH 10/18] fast-import: simplify allocation in start_packfile Jeff King
2016-02-15 21:54 ` [PATCH 11/18] fetch-pack: simplify add_sought_entry Jeff King
2016-02-15 21:55 ` [PATCH 12/18] test-path-utils: fix normalize_path_copy output buffer size Jeff King
2016-02-15 21:56 ` [PATCH 13/18] sequencer: simplify memory allocation of get_message Jeff King
2016-02-16 6:05 ` Eric Sunshine
2016-02-15 21:56 ` [PATCH 14/18] git-compat-util: drop mempcpy compat code Jeff King
2016-02-16 6:05 ` Eric Sunshine
2016-02-15 21:56 ` [PATCH 15/18] transport_anonymize_url: use xstrfmt Jeff King
2016-02-15 21:56 ` [PATCH 16/18] diff_populate_gitlink: use a strbuf Jeff King
2016-02-15 21:57 ` [PATCH 17/18] convert ewah/bitmap code to use xmalloc Jeff King
2016-02-15 21:57 ` [PATCH 18/18] ewah: convert to REALLOC_ARRAY, etc Jeff King
2016-02-15 22:02 ` [PATCH 0/18] hardening allocations against integer overflow Jeff King
2016-02-19 11:19 ` [PATCH v2 0/21] " Jeff King
2016-02-19 11:21 ` [PATCH 01/21] reflog_expire_cfg: NUL-terminate pattern field Jeff King
2016-02-19 11:21 ` [PATCH 02/21] add helpers for detecting size_t overflow Jeff King
2016-02-19 11:21 ` [PATCH 03/21] tree-diff: catch integer overflow in combine_diff_path allocation Jeff King
2016-02-19 11:22 ` [PATCH 04/21] harden REALLOC_ARRAY and xcalloc against size_t overflow Jeff King
2016-02-20 21:32 ` René Scharfe [this message]
2016-02-21 23:30 ` Jeff King
2016-02-19 11:22 ` [PATCH 05/21] add helpers for allocating flex-array structs Jeff King
2016-02-19 11:23 ` [PATCH 06/21] convert manual allocations to argv_array Jeff King
2016-02-20 8:07 ` Eric Sunshine
2016-02-20 8:10 ` Jeff King
2016-02-20 8:29 ` Eric Sunshine
2016-02-20 8:34 ` Jeff King
2016-02-20 8:39 ` Eric Sunshine
2016-02-20 8:57 ` Jeff King
2016-02-20 9:04 ` Eric Sunshine
2016-02-19 11:23 ` [PATCH 07/21] convert trivial cases to ALLOC_ARRAY Jeff King
2016-02-19 11:23 ` [PATCH 08/21] use xmallocz to avoid size arithmetic Jeff King
2016-02-19 11:23 ` [PATCH 09/21] convert trivial cases to FLEX_ARRAY macros Jeff King
2016-02-19 11:23 ` [PATCH 10/21] use st_add and st_mult for allocation size computation Jeff King
2016-02-19 11:24 ` [PATCH 11/21] prepare_{git,shell}_cmd: use argv_array Jeff King
2016-02-19 11:24 ` [PATCH 12/21] write_untracked_extension: use FLEX_ALLOC helper Jeff King
2016-02-19 11:24 ` [PATCH 13/21] fast-import: simplify allocation in start_packfile Jeff King
2016-02-19 17:48 ` Junio C Hamano
2016-02-19 19:12 ` Jeff King
2016-02-19 11:24 ` [PATCH 14/21] fetch-pack: simplify add_sought_entry Jeff King
2016-02-19 11:24 ` [PATCH 15/21] test-path-utils: fix normalize_path_copy output buffer size Jeff King
2016-02-19 11:25 ` [PATCH 16/21] sequencer: simplify memory allocation of get_message Jeff King
2016-02-19 11:25 ` [PATCH 17/21] git-compat-util: drop mempcpy compat code Jeff King
2016-02-19 11:25 ` [PATCH 18/21] transport_anonymize_url: use xstrfmt Jeff King
2016-02-19 11:25 ` [PATCH 19/21] diff_populate_gitlink: use a strbuf Jeff King
2016-02-19 11:25 ` [PATCH 20/21] convert ewah/bitmap code to use xmalloc Jeff King
2016-02-19 11:25 ` [PATCH 21/21] ewah: convert to REALLOC_ARRAY, etc Jeff King
2016-02-22 22:41 ` [PATCH v3 0/22] hardening allocations against integer overflow Jeff King
2016-02-22 22:43 ` [PATCH v3 01/22] reflog_expire_cfg: NUL-terminate pattern field Jeff King
2016-02-22 22:43 ` [PATCH v3 02/22] add helpers for detecting size_t overflow Jeff King
2016-02-22 22:43 ` [PATCH v3 03/22] tree-diff: catch integer overflow in combine_diff_path allocation Jeff King
2016-02-22 22:43 ` [PATCH v3 04/22] harden REALLOC_ARRAY and xcalloc against size_t overflow Jeff King
2016-02-22 22:43 ` [PATCH v3 05/22] add helpers for allocating flex-array structs Jeff King
2016-02-22 22:44 ` [PATCH v3 06/22] argv-array: add detach function Jeff King
2016-02-22 22:44 ` [PATCH v3 07/22] convert manual allocations to argv_array Jeff King
2016-02-22 22:44 ` [PATCH v3 08/22] convert trivial cases to ALLOC_ARRAY Jeff King
2016-02-22 22:44 ` [PATCH v3 09/22] use xmallocz to avoid size arithmetic Jeff King
2016-02-22 22:44 ` [PATCH v3 10/22] convert trivial cases to FLEX_ARRAY macros Jeff King
2016-02-22 22:44 ` [PATCH v3 11/22] use st_add and st_mult for allocation size computation Jeff King
2016-02-22 22:44 ` [PATCH v3 12/22] prepare_{git,shell}_cmd: use argv_array Jeff King
2016-02-22 22:44 ` [PATCH v3 13/22] write_untracked_extension: use FLEX_ALLOC helper Jeff King
2016-02-22 22:44 ` [PATCH v3 14/22] fast-import: simplify allocation in start_packfile Jeff King
2016-02-22 22:44 ` [PATCH v3 15/22] fetch-pack: simplify add_sought_entry Jeff King
2016-02-22 22:44 ` [PATCH v3 16/22] test-path-utils: fix normalize_path_copy output buffer size Jeff King
2016-02-22 22:44 ` [PATCH v3 17/22] sequencer: simplify memory allocation of get_message Jeff King
2016-02-22 22:45 ` [PATCH v3 18/22] git-compat-util: drop mempcpy compat code Jeff King
2016-02-22 22:45 ` [PATCH v3 19/22] transport_anonymize_url: use xstrfmt Jeff King
2016-02-22 22:45 ` [PATCH v3 20/22] diff_populate_gitlink: use a strbuf Jeff King
2016-02-22 22:45 ` [PATCH v3 21/22] convert ewah/bitmap code to use xmalloc Jeff King
2016-02-22 22:45 ` [PATCH v3 22/22] ewah: convert to REALLOC_ARRAY, etc Jeff King
2016-02-22 23:08 ` [PATCH v3 0/22] hardening allocations against integer overflow Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56C8DB50.7070606@web.de \
--to=l.s.r@web.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).