Opened 7 years ago

Last modified 3 years ago

#6701 new Bugs

integer overflows in ordered_malloc()

Reported by: Xi Wang <xi.wang@…> Owned by: John Maddock
Milestone: To Be Determined Component: pool
Version: Boost Development Trunk Severity: Problem
Keywords: Cc:

Description

Consider pool::ordered_malloc(size_type n).

const size_type total_req_size = n * requested_size;

Given a large n, total_req_size will wrap around to a small integer. The allocated memory would be smaller than expected, leading to a potential buffer overflow.

Attachments (3)

pool.patch (1.1 KB) - added by Xi Wang <xi.wang@…> 7 years ago.
fix integer overflows in pool::ordered_malloc
boost-1.58.0-pool.patch (4.6 KB) - added by jwakely <jwakely.boost@…> 3 years ago.
Updated patch against 1.58.0, fixing shadowing warning.
boost-1.58.0-pool.2.patch (4.6 KB) - added by jwakely <jwakely.boost@…> 3 years ago.
*Correct* patch against 1.58.0, fixing shadowing warning.

Download all attachments as: .zip

Change History (16)

Changed 7 years ago by Xi Wang <xi.wang@…>

Attachment: pool.patch added

fix integer overflows in pool::ordered_malloc

comment:1 Changed 7 years ago by edupuis

Owner: changed from Chris Newbold to edupuis
Status: newassigned

comment:2 Changed 7 years ago by edupuis

There are many other overflows in class pool that needs to be fixed.

comment:3 Changed 7 years ago by edupuis

Resolution: fixed
Status: assignedclosed

(In [78326]) Clamped value of parameters 'next_size' and 'max_size' (which controls the number of memory chunks to allocate) such that when computing the number of bytes that must be allocated, this number of bytes never overflows a 'size_type'. This fixes #6701, in a different manner than the submitted patch.

comment:4 Changed 7 years ago by edupuis

Resolution: fixed
Status: closedreopened

comment:5 Changed 6 years ago by edupuis

Owner: changed from edupuis to John Maddock
Status: reopenednew
Type: PatchesBugs

https://svn.boost.org/svn/boost/sandbox/pool at revision 79460 contains a solution for tickets #3789, #5902, #6561, #6610, #6701, #6718, #6865 and #6867. Related test cases are also present.

https://svn.boost.org/svn/boost/sandbox/pool at revision 79460 does not contain any other new features or modifications other than those related to the above tickets.

Boost.Pool currently has no maintainer and is thus orphaned.

comment:6 Changed 6 years ago by Denis Arnaud

Would it be possible to apply that patch on the release branch (as well as on the trunk)? So, the milestone could become 1.51, if I understand correctly.

Note that that security/vulnerability issue is tracked by the following page: http://www.openwall.com/lists/oss-security/2012/06/07/13

Reference for Fedora/RedHat?/CentOS: https://bugzilla.redhat.com/show_bug.cgi?id=828856

comment:7 in reply to:  4 ; Changed 6 years ago by Marshall Clow

Replying to edupuis:

I'm curious why this ticket was reopened. Did [78326] not fix this problem?

All I see is a notice that the ticket has been reopened.

To prevent confusion like this, a test that demonstrates the problem would be useful.

comment:8 in reply to:  7 Changed 6 years ago by Denis Arnaud

Replying to marshall:

Replying to edupuis:

I'm curious why this ticket was reopened. Did [78326] not fix this problem?

[78326] fixed this problem... but only within the sandbox branch :( So, the fix/patch needs to be applied to both the trunk and release branches.

Hope it clarifies.

comment:9 Changed 4 years ago by Petr Machata <pmachata@…>

I just checked the master branch (a038658 in particular), and the fix is not applied. Is there a reason not to push this to master? In Fedora we have kept lugging the patch along for years, it would be really nice to be able to retire it. Thank you.

comment:10 Changed 3 years ago by anonymous

Still not fixed on master.

Changed 3 years ago by jwakely <jwakely.boost@…>

Attachment: boost-1.58.0-pool.patch added

Updated patch against 1.58.0, fixing shadowing warning.

Changed 3 years ago by jwakely <jwakely.boost@…>

Attachment: boost-1.58.0-pool.2.patch added

*Correct* patch against 1.58.0, fixing shadowing warning.

comment:11 Changed 3 years ago by jwakely <jwakely.boost@…>

The first patch I attached earlier today was the wrong version, which doesn't build, sorry. The second one is the right version of the file that I'm actually using here.

comment:12 Changed 3 years ago by g.gupta@…

Is this fix applied to trunk code ?

comment:13 in reply to:  12 Changed 3 years ago by Jonathan Wakely <jwakely.boost@…>

Replying to g.gupta@…:

Is this fix applied to trunk code ?

No.

Note: See TracTickets for help on using tickets.