From patchwork Tue Nov  7 15:27:09 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Istvan Kurucsai <pistukem@gmail.com>
X-Patchwork-Id: 835335
Return-Path: 
 <libc-alpha-return-86859-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=sourceware.org
	(client-ip=209.132.180.131; helo=sourceware.org;
	envelope-from=libc-alpha-return-86859-incoming=patchwork.ozlabs.org@sourceware.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (1024-bit key;
	secure) header.d=sourceware.org header.i=@sourceware.org
	header.b="DL3qJmCZ"; dkim-atps=neutral
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3yWYGx5W5nz9s7c
	for <incoming@patchwork.ozlabs.org>;
	Wed,  8 Nov 2017 02:28:25 +1100 (AEDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id:in-reply-to
	:references; q=dns; s=default; b=D9e9G+t2o6uF8ULxzecxzZk2xnHO1/D
	9oZewWzeiCxU/ZHN1EZNuxbFyKz90xeDIgFcpmP/nCVWWDWJLw6JNZqITAnD8BjU
	8UVPUlrbcCEqT2Q/M9O1JPd3Aju2eLRULX7CEHxivsCs1RhjArKEUX+3qNXkOZ0u
	OOlIhItBEv7Y=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:cc:subject:date:message-id:in-reply-to
	:references; s=default; bh=6pqDB4TmoOUhmOm/mwBEsd+LZsA=; b=DL3qJ
	mCZ/Xs/ua0BqhYsM1c7iEEW2VeymVZ2CuKr6G5I1VwTQ6scUb9sRM5wnaPyI7hND
	kAkD82c4v+ZF6rgHIjdg3+8chiTH7MYQXigszhtf7nejqz3sQf9dtcrUbw5+FJYE
	5E5xwagnjW+30r0qmwBgpXF1GMsOJCbO1PQTxs=
Received: (qmail 71141 invoked by alias); 7 Nov 2017 15:27:31 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 70992 invoked by uid 89); 7 Nov 2017 15:27:31 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.0 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM,
	SPF_PASS autolearn=ham version=3.3.2 spammy=begins, integrity
X-HELO: mail-wm0-f67.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=BpUhi7ljoC/b6J/gfuuBHpYOGhVSXAGXHSnpaGgil94=;
	b=q1CZXpxcmZIcsBzrVu7wsTQaYQMwNwf1nUJVu5KLCw+OpUu8GuOlKQ7k+NfeDtFBm2
	Yvqi12//MTaGtCqeOnjhCkYQMh/yy4qoGN0bzjSRu8bnusHIdEXUNZxl0bcy+CbZOTpf
	4TKM7P4le9CDeTW9UvxfRH5ndqnVEOmk4mR3OA894TOLllvh99O+nPsXkk6hbrdSyqIs
	hhAy1zOIaPYSaCwUlnrhp0sWf8fsHRi/qm+IuMYHfjS5zNhKhmqP7Ps1Itp8D+TQBTgU
	tJw/kbAJXF1vdKmk1W34BKOFvu1pZr5SxRikJejqBUqC++qGmo6hPTB1QveXqEWfCHk1
	DYbA==
X-Gm-Message-State: AJaThX5Rpxr9+sPSi34DcX8dHjUo4IrG6wz1dEnkChiTnQbp6w7/jJ1q
	u/RqDM+eP9s1OlYCD9N3K7Uu157o
X-Google-Smtp-Source: 
 ABhQp+Sd1f6tnY4jJ80a2BIVlZimYG7G4AdMJ1Di/P3JHNWz6pWj0KW9USAHXS+Gv+rzTdEjuIJ7Cg==
X-Received: by 10.28.207.130 with SMTP id f124mr1895424wmg.88.1510068447679;
	Tue, 07 Nov 2017 07:27:27 -0800 (PST)
From: Istvan Kurucsai <pistukem@gmail.com>
To: libc-alpha@sourceware.org
Cc: Istvan Kurucsai <pistukem@gmail.com>
Subject: [PATCH v2 6/7] malloc: Add more integrity checks to mremap_chunk.
Date: Tue,  7 Nov 2017 16:27:09 +0100
Message-Id: <1510068430-27816-7-git-send-email-pistukem@gmail.com>
In-Reply-To: <1510068430-27816-1-git-send-email-pistukem@gmail.com>
References: <1510068430-27816-1-git-send-email-pistukem@gmail.com>

Similarly to the ones in munmap_chunk, ensure that the mapped region begins at
a page boundary, that the size is page-aligned and that the offset of the
chunk into its page is a power of 2.

    * malloc/malloc.c (mremap_chunk): Additional checks.
---
 malloc/malloc.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 5eb661e..1a2ba04 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2858,16 +2858,22 @@ mremap_chunk (mchunkptr p, size_t new_size)
   char *cp;
 
   assert (chunk_is_mmapped (p));
-  assert (((size + offset) & (GLRO (dl_pagesize) - 1)) == 0);
+
+  uintptr_t block = (uintptr_t) p - offset;
+  uintptr_t mem = (uintptr_t) chunk2mem(p);
+  size_t total_size = offset + size;
+  if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0
+      || __glibc_unlikely (!powerof2 (mem & (pagesize - 1))))
+    malloc_printerr("mremap_chunk(): invalid pointer");
 
   /* Note the extra SIZE_SZ overhead as in mmap_chunk(). */
   new_size = ALIGN_UP (new_size + offset + SIZE_SZ, pagesize);
 
   /* No need to remap if the number of pages does not change.  */
-  if (size + offset == new_size)
+  if (total_size == new_size)
     return p;
 
-  cp = (char *) __mremap ((char *) p - offset, size + offset, new_size,
+  cp = (char *) __mremap ((char *) block, total_size, new_size,
                           MREMAP_MAYMOVE);
 
   if (cp == MAP_FAILED)