Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 May 2022 10:51:32 +0000
From: WILLIAMS Stephen <>
To: "" <>
Subject: BUG REPORT: Fault in src/malloc/oldmalloc/aligned_alloc.c leads to
 memory corruption

Fault detection / background:

This fault was detected whilst working with the seL4 microkernel which uses an old fork of musl libc (see Whilst the implementation of aligned_alloc has changed between the seL4 fork and the mainline musl libc the same underlying fault still appears to be present in oldmalloc branch of mainline musl libc.

Fault summary:

The correctness of the memory allocation bookkeeping system relies upon the constraint that the minimum size of a memory 'chunk' is SIZE_ALIGN, defined in malloc_impl.h as 4xsizeof(size_t). If this constraint is broken then bad things happen and the bookkeeping system becomes corrupted, specifically:

1. Arithmetic wrap-around of x occurs in the routines bin_index and bin_index_up within malloc.c resulting in the maximum chunk index being used when the minimum index should have been used. This can lead to chunks below the minimum size limit to be considered to be large unallocated chunks of memory. Subsequent allocation of these unallocated chunks (considered to be large but in reality tiny) allows previously allocated chunks to be re-used / overwritten.

2.The 'next' and 'prev' pointers held in an unallocated chunk (used to maintained a doubly linked list of unallocated chunks) that is below the minimum size limit may be overlayed with the bookkeeping of the following chunk.

The malloc routine enforces this minimum chunk size limit (through the adjust_size routine), however the code of the aligned_alloc routine within aligned_alloc.c can break this minimum size constraint and therefore lead to corruption of the bookkeeping.

The aligned_alloc routine works by malloc'ing sufficient memory to ensure the requested amount of memory is available, at the requested alignment, somewhere within the malloc'ed region. This means that there may be some unused memory allocated before the start of the aligned memory area. This can be handled by splitting the chunk allocated by malloc into two chunks, a chunk of memory prior to the start of the aligned memory followed by a chunk that starts at the requested alignment (see aligned_alloc.c lines 43:49). aligned_alloc then calls ‘__bin_chunk’ (line 51) on the first chunk which wasn't required. So far so good, however aligned_alloc fails to enforce the minimum chunk size constraint on either of the two split chunks.

Proposed fix:

1. A minimum size limit on the ‘len’ parameter of aligned_alloc must be enforced to ensure that the resulting chunk returned by aligned_alloc meets the minimum chunk length limit, i.e. adjust the input ‘len’ value to be no less than SIZE_ALIGN.

2. aligned_alloc must not call ‘__bin_chunk’ in the case where new-men < SIZE_ALIGN. In such a case rather than effectively ‘free’ing this small chunk (which is below the minimum length limit and therefore leads to corruption of the bookkeeping) the memory should be added to the end of the preceding chunk.

Thanks for your help,

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.