#26093 closed defect (not a bug)

memalign() may fail

Reported by: Dhiraj Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi Team,

I am not sure about this issue please advise,
https://github.com/torproject/tor/blob/master/src/ext/OpenBSD_malloc_Linux.c#L295
i.e

void *memalign(size_t boundary, size_t size);

On some systems (though not Linux-based systems) an attempt to free() results from memalign() may fail. This may, on a few systems, be exploitable.

Also note that memalign() may not check that the boundary parameter is correct such as (CWE-676).

Use posix_memalign instead (defined in POSIX's 1003.1d). Don't switch to valloc(); it is marked as obsolete in BSD 4.3, as legacy in SUSv2, and is no longer defined in SUSv3. In some cases, malloc()'s alignment may be sufficient.

Request team to please have a look.

Regards
Dhiraj

Child Tickets

Change History (3)

comment:1 Changed 19 months ago by rl1987

Component: - Select a componentCore Tor/Tor

comment:2 Changed 19 months ago by cypherpunks

Depends #20424 resolution.

comment:3 Changed 19 months ago by rl1987

Resolution: not a bug
Status: newclosed

But that's dead code...

$ ag memalign
src/ext/OpenBSD_malloc_Linux.c
295:void *memalign(size_t boundary, size_t size);
1992:int posix_memalign(void **memptr, size_t alignment, size_t size)
2015:void *memalign(size_t boundary, size_t size)
2018:	posix_memalign(&r, boundary, size);
2025:	posix_memalign(&r, malloc_pagesize, size);

memalign() in OpenBSD_malloc_Linux.c is not used anywhere and not even compiled in by default.

Note: See TracTickets for help on using tickets.