[bug #53284] realloc() does not respect __freelist size for small allocations

[avrs-admin]

Sun 04 Mar 2018 11:19:44 PM CET

The realloc() function does not respect the freelist size when resizing an allocation down to 0 or 1 bytes.  If this allocation is then deallocated with free(), a freelist entry is placed in its slot that can partially overwrite an adjacent allocation, leading to irrecoverable memory corruption.  The following code can reproduce the corruption:

// Relevant bytes in heap allocation shown in comments (User storage denoted with 0xFF)
char * resizedVar = (char*)malloc(6);       // 0x06 0x00 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
resizedVar = (char*)realloc(resizedVar, 1); // 0x01 0x00 0xFF
char * fixedVar = (char*)malloc(4);         // 0x01 0x00 0xFF 0x04 0x00 0xFF 0xFF 0xFF 0xFF
free(resizedVar);                           // 0x01 0x00 0x00 0x00 0x00 0xFF 0xFF 0xFF 0xFF
//                  ^ Size of fixedVar overwritten

malloc() handles this issue with a minimum allocation size, so that requested allocations of 0, 1, or 2 bytes all take the same storage.  The same technique can be used here to prevent problems, as shown in the attached patch.

file #43463: realloc_small_size.patch file #48143: avr-libc-realloc-small-len-values.patch

This issue was migrated from https://savannah.nongnu.org/bugs/?53284

[avrs-admin]

Petteri Aimonen Tue 31 Dec 2019 11:41:55 AM CET

This got triggered by nanopb fuzz tests; I'm adding a workaround on my library side as this would otherwise have potential security implications. It would be great if this could eventually be fixed on avr-libc side.

I think the suggested patch does not address the case of len == 0, which should be equivalent to free(ptr). I've attached a patch that handles that also.

(file #48143)

[avrs-admin]

Petteri Aimonen Fri 17 Jan 2020 06:58:01 AM CET

Related other bugs: #40535, #32702