Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260512193511.GF1262@brightrain.aerifal.cx>
Date: Tue, 12 May 2026 15:35:11 -0400
From: Rich Felker <dalias@...c.org>
To: Kalven Schraut <kalvens@...ision.com>
Cc: musl@...ts.openwall.com
Subject: Re: [PATCH] posix_memalign with 4 GiB alignment returns
 pointer that crashes when free is called

On Tue, May 12, 2026 at 07:28:15PM +0000, Kalven Schraut wrote:
> I wasn't sure if you wanted a patch, so just made one real quick
> based on your response. LMK if any issues since first time
> submitting something to a mailing list
> 
> >From 2f64081a0cbfbb8d05f986b9edd9fa9114cb9a42 Mon Sep 17 00:00:00 2001
> From: Kalven Schraut <kalvens@...ision.com>
> Date: Tue, 12 May 2026 14:18:26 -0500
> Subject: [PATCH] fix mallocng free of allocations with large alignment
> 
> Signed-off-by: Kalven Schraut <kalvens@...ision.com>
> ---
>  src/malloc/mallocng/meta.h | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/malloc/mallocng/meta.h b/src/malloc/mallocng/meta.h
> index 61ec53f9..6137729e 100644
> --- a/src/malloc/mallocng/meta.h
> +++ b/src/malloc/mallocng/meta.h
> @@ -129,13 +129,14 @@ static inline int get_slot_index(const unsigned char *p)
>  static inline struct meta *get_meta(const unsigned char *p)
>  {
>     assert(!((uintptr_t)p & 15));
> -   int offset = *(const uint16_t *)(p - 2);
> +  size_t offset = *(const uint16_t *)(p - 2);
>     int index = get_slot_index(p);
>     if (p[-4]) {
>         assert(!offset);
>         offset = *(uint32_t *)(p - 8);
>         assert(offset > 0xffff);
>     }
> +  assert(offset <= PTRDIFF_MAX/UNIT)
>     const struct group *base = (const void *)(p - UNIT*offset - UNIT);
>     const struct meta *meta = base->meta;
>     assert(meta->mem == base);

I've got it already, but thanks. BTW the assert goes inside that if,
not outside, in case the compiler isn't smart enough to move it
inside (a 16-bit offset can never overflow and 32-bit ones are the
rare case that can only occur for extreme overalignment).

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.