From patchwork Wed Dec 4 20:58:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: DJ Delorie X-Patchwork-Id: 1204375 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-107731-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="GGKpcyY5"; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="crcdk+A+"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Srmq3K0Cz9sNx for ; Thu, 5 Dec 2019 07:58:51 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:in-reply-to:date:message-id :mime-version:content-type:content-transfer-encoding; q=dns; s= default; b=Sbc6zd7/7prfHPd9l6WtU4jcJrfqs6//+uVhXIvnSuyYGvreX0dXi v5xduI9URKQQQXVisBxBZ2Snh1ftewg3042ThpnZKlI9PVlgwhr/6BugsRx1WakO KBtF9x1vD4KZG8J2DxQjcbQvmzWhIeFJ9vCQcNrRvaGxvmtPVDT/Ho= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:in-reply-to:date:message-id :mime-version:content-type:content-transfer-encoding; s=default; bh=LOc0mWNQ3WCja/G6sXgA/2m2YRQ=; b=GGKpcyY5y9POxmS286HNsyfu/J2P MI+fPaYY8/09qYnjTxIr6FBwru5qb+e0ofGxAf0+dc/PctxDaEV1bqGpStlFLi2p 8cahudPmYdP1VulDT/VF6/Og7ldFyMzpyrVFeFrKbYsqmsVsSiCE4zjV7anPBd59 tJCWJ0RuSduMrpM= Received: (qmail 80003 invoked by alias); 4 Dec 2019 20:58:45 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 79979 invoked by uid 89); 4 Dec 2019 20:58:44 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-18.2 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_PASS autolearn=ham version=3.3.1 spammy=H*i:sk:d472d46 X-HELO: us-smtp-delivery-1.mimecast.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1575493121; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to; bh=EbevcM7Dq1MbqKQsDdnwrzHevfLuxXMfHSg+xGCZyK4=; b=crcdk+A+LmuYrbnxH/ImepcfkzPosPiIkpAdJZByB2hmcERNJTFRnqrvkI9AyRFm8BEULe OsYo/UruWopaZySKECEPSp0PmiBwTr7qiXJDKXGUlZ6ZMW/kGVTlHe1PKath/Edl3olHTt pn1RUEyNNtL0gtvwVX40bs1EVk/HiDc= From: DJ Delorie To: libc-alpha@sourceware.org Subject: [patch v2] Correct range checking in mallopt/mxfast/tcache [BZ #25194] In-Reply-To: (codonell@redhat.com) Date: Wed, 04 Dec 2019 15:58:38 -0500 Message-ID: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 From f5c9a8a75de6d1c114193411634e9abd00618a21 Mon Sep 17 00:00:00 2001 From: DJ Delorie Date: Tue, 3 Dec 2019 17:44:36 -0500 Subject: Correct range checking in mallopt/mxfast/tcache [BZ #25194] do_set_tcache_max, do_set_mxfast: Fix two instances of comparing "size_t < 0" Both cases have upper limit, so the "negative value" case is already handled via overflow semantics. do_set_tcache_max, do_set_tcache_count: Fix return value on error. Note: currently not used. mallopt: pass return value of helper functions to user. Behavior should only be actually changed for mxfast, where we restore the old (pre-tunables) behavior. Reviewed-by: Carlos O'Donell diff --git a/malloc/malloc.c b/malloc/malloc.c index 70cc35a473..a6f78cc6c1 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -5086,13 +5086,14 @@ do_set_arena_max (size_t value) static __always_inline int do_set_tcache_max (size_t value) { - if (value >= 0 && value <= MAX_TCACHE_SIZE) + if (value <= MAX_TCACHE_SIZE) { LIBC_PROBE (memory_tunable_tcache_max_bytes, 2, value, mp_.tcache_max_bytes); mp_.tcache_max_bytes = value; mp_.tcache_bins = csize2tidx (request2size(value)) + 1; + return 1; } - return 1; + return 0; } static __always_inline int @@ -5102,8 +5103,9 @@ do_set_tcache_count (size_t value) { LIBC_PROBE (memory_tunable_tcache_count, 2, value, mp_.tcache_count); mp_.tcache_count = value; + return 1; } - return 1; + return 0; } static __always_inline int @@ -5119,7 +5121,7 @@ static inline int __always_inline do_set_mxfast (size_t value) { - if (value >= 0 && value <= MAX_FAST_SIZE) + if (value <= MAX_FAST_SIZE) { LIBC_PROBE (memory_mallopt_mxfast, 2, value, get_max_fast ()); set_max_fast (value); @@ -5144,18 +5146,25 @@ __libc_mallopt (int param_number, int value) (see definition of set_max_fast). */ malloc_consolidate (av); + /* Many of these helper functions take a size_t. We do not worry + about overflow here, because forcing a large size_t value to a + negative "int" might be the only way to pass a large size_t value + to mallopt, and because the helpers have sufficient range + checking already despite the conversions. Many of these helpers + are also referenced in the tunables macros in arena.c. */ + switch (param_number) { case M_MXFAST: - do_set_mxfast (value); + res = do_set_mxfast (value); break; case M_TRIM_THRESHOLD: - do_set_trim_threshold (value); + res = do_set_trim_threshold (value); break; case M_TOP_PAD: - do_set_top_pad (value); + res = do_set_top_pad (value); break; case M_MMAP_THRESHOLD: @@ -5163,25 +5172,25 @@ __libc_mallopt (int param_number, int value) break; case M_MMAP_MAX: - do_set_mmaps_max (value); + res = do_set_mmaps_max (value); break; case M_CHECK_ACTION: - do_set_mallopt_check (value); + res = do_set_mallopt_check (value); break; case M_PERTURB: - do_set_perturb_byte (value); + res = do_set_perturb_byte (value); break; case M_ARENA_TEST: if (value > 0) - do_set_arena_test (value); + res = do_set_arena_test (value); break; case M_ARENA_MAX: if (value > 0) - do_set_arena_max (value); + res = do_set_arena_max (value); break; } __libc_lock_unlock (av->mutex);