Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected behavior when negative size is given to malloc #1

Closed
pr0cf5 opened this issue Jul 18, 2020 · 1 comment
Closed

Unexpected behavior when negative size is given to malloc #1

pr0cf5 opened this issue Jul 18, 2020 · 1 comment

Comments

@pr0cf5
Copy link

pr0cf5 commented Jul 18, 2020

I found an unexpected behavior in the allocator of guarder. The proof of concept code is the following.

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <malloc.h>

int main() {
  void **p = malloc(-8);
  printf("%p\n", *p);
  return 0;
}

An example output for the following code was

$ LD_PRELOAD=./libguarder.so ./bug
0x7f5a2cac8000

The execution environment was the most recent ubuntu 18.04. I used the head of the master branch, commit 9e85978aa2e883010cb5d0c4ae1ae7fe7b8fbe6c for libguarder.

The expected behavior is a segmentation fault, since the allocator cannot yield 2**64-8 bytes and p must be NULL. However, p becomes a valid pointer which contains data. (which is also a pointer, 0x7f5a2cac8000)

I believe that this is a bug, and it requires fixing. Thank you.
@tongping
Copy link
Contributor

Thank you so much for the comment. Yes, it is definitely a bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tongping @pr0cf5