From 744b63026a29f7eedbbc8e3a01a7f48a6eb0a085 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Thu, 15 Jan 2026 06:06:40 -0500 Subject: [PATCH] memalign: reinstate alignment overflow check (CVE-2026-0861) The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the overflow check for alignment in memalign functions, _mid_memalign and _int_memalign. Reinstate the overflow check in _int_memalign, aligned with the PTRDIFF_MAX change since that is directly responsible for the CVE. The missing _mid_memalign check is not relevant (and does not have a security impact) and may need a different approach to fully resolve, so it has been omitted. CVE-Id: CVE-2026-0861 Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 Reported-by: Igor Morgenstern, Aisle Research Fixes: BZ #33796 Reviewed-by: Wilco Dijkstra Signed-off-by: Siddhesh Poyarekar (cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93) --- malloc/malloc.c | 7 +++++-- malloc/tst-malloc-too-large.c | 10 ++-------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index d0bbbf3710..70bf56d16c 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -5042,7 +5042,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) INTERNAL_SIZE_T size; nb = checked_request2size (bytes); - if (nb == 0) + if (nb == 0 || alignment > PTRDIFF_MAX) { __set_errno (ENOMEM); return NULL; @@ -5058,7 +5058,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) we don't find anything in those bins, the common malloc code will scan starting at 2x. */ - /* Call malloc with worst case padding to hit alignment. */ + /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a + power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of + space to add MINSIZE and whatever checked_request2size adds to BYTES to + get NB. Consequently, total below also does not overflow. */ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); if (m == 0) diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c index 44979018b8..a5082c1fec 100644 --- a/malloc/tst-malloc-too-large.c +++ b/malloc/tst-malloc-too-large.c @@ -152,7 +152,6 @@ test_large_allocations (size_t size) } -static long pagesize; /* This function tests the following aligned memory allocation functions using several valid alignments and precedes each allocation test with a @@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size) /* All aligned memory allocation functions expect an alignment that is a power of 2. Given this, we test each of them with every valid - alignment from 1 thru PAGESIZE. */ - for (align = 1; align <= pagesize; align *= 2) + alignment for the type of ALIGN, i.e. until it wraps to 0. */ + for (align = 1; align > 0; align <<= 1) { test_setup (); #if __GNUC_PREREQ (7, 0) @@ -265,11 +264,6 @@ do_test (void) DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); #endif - /* Aligned memory allocation functions need to be tested up to alignment - size equivalent to page size, which should be a power of 2. */ - pagesize = sysconf (_SC_PAGESIZE); - TEST_VERIFY_EXIT (powerof2 (pagesize)); - /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.