Opened 11 years ago
Last modified 7 years ago
#6701 new Bugs
integer overflows in ordered_malloc()
| Reported by: | Owned by: | John Maddock | |
|---|---|---|---|
| Milestone: | To Be Determined | Component: | pool |
| Version: | Boost Development Trunk | Severity: | Problem |
| Keywords: | Cc: |
Description
Consider pool::ordered_malloc(size_type n).
const size_type total_req_size = n * requested_size;
Given a large n, total_req_size will wrap around to a small integer. The allocated memory would be smaller than expected, leading to a potential buffer overflow.
Attachments (3)
Change History (16)
by , 11 years ago
| Attachment: | pool.patch added |
|---|
comment:1 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
(In [78326]) Clamped value of parameters 'next_size' and 'max_size' (which controls the number of memory chunks to allocate) such that when computing the number of bytes that must be allocated, this number of bytes never overflows a 'size_type'. This fixes #6701, in a different manner than the submitted patch.
follow-up: 7 comment:4 by , 10 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
comment:5 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
| Type: | Patches → Bugs |
https://svn.boost.org/svn/boost/sandbox/pool at revision 79460 contains a solution for tickets #3789, #5902, #6561, #6610, #6701, #6718, #6865 and #6867. Related test cases are also present.
https://svn.boost.org/svn/boost/sandbox/pool at revision 79460 does not contain any other new features or modifications other than those related to the above tickets.
Boost.Pool currently has no maintainer and is thus orphaned.
comment:6 by , 10 years ago
Would it be possible to apply that patch on the release branch (as well as on the trunk)? So, the milestone could become 1.51, if I understand correctly.
Note that that security/vulnerability issue is tracked by the following page: http://www.openwall.com/lists/oss-security/2012/06/07/13
Reference for Fedora/RedHat/CentOS: https://bugzilla.redhat.com/show_bug.cgi?id=828856
follow-up: 8 comment:7 by , 10 years ago
comment:8 by , 10 years ago
comment:9 by , 8 years ago
I just checked the master branch (a038658 in particular), and the fix is not applied. Is there a reason not to push this to master? In Fedora we have kept lugging the patch along for years, it would be really nice to be able to retire it. Thank you.
by , 7 years ago
| Attachment: | boost-1.58.0-pool.patch added |
|---|
Updated patch against 1.58.0, fixing shadowing warning.
by , 7 years ago
| Attachment: | boost-1.58.0-pool.2.patch added |
|---|
*Correct* patch against 1.58.0, fixing shadowing warning.
comment:11 by , 7 years ago
The first patch I attached earlier today was the wrong version, which doesn't build, sorry. The second one is the right version of the file that I'm actually using here.
fix integer overflows in pool::ordered_malloc