tst-malloc-too-large.c source code [glibc/malloc/tst-malloc-too-large.c]

1	/ Test and verify that too-large memory allocations fail with ENOMEM.*
2	Copyright (C) 2018-2024 Free Software Foundation, Inc.
3	This file is part of the GNU C Library.
4
5	The GNU C Library is free software; you can redistribute it and/or
6	modify it under the terms of the GNU Lesser General Public
7	License as published by the Free Software Foundation; either
8	version 2.1 of the License, or (at your option) any later version.
9
10	The GNU C Library is distributed in the hope that it will be useful,
11	but WITHOUT ANY WARRANTY; without even the implied warranty of
12	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13	Lesser General Public License for more details.
14
15	You should have received a copy of the GNU Lesser General Public
16	License along with the GNU C Library; if not, see
17	<https://www.gnu.org/licenses/>. /*
18
19	/ Bug 22375 reported a regression in malloc where if after malloc'ing then*
20	free'ing a small block of memory, malloc is then called with a really
21	large size argument (close to SIZE_MAX): instead of returning NULL and
22	setting errno to ENOMEM, malloc incorrectly returns the previously
23	allocated block instead. Bug 22343 reported a similar case where
24	posix_memalign incorrectly returns successfully when called with an with
25	a really large size argument.
26
27	Both of these were caused by integer overflows in the allocator when it
28	was trying to pad the requested size to allow for book-keeping or
29	alignment. This test guards against such bugs by repeatedly allocating
30	and freeing small blocks of memory then trying to allocate various block
31	sizes larger than the memory bus width of 64-bit targets, or almost
32	as large as SIZE_MAX on 32-bit targets supported by glibc. In each case,
33	it verifies that such impossibly large allocations correctly fail. /*
34
35
36	#include <stdlib.h>
37	#include <malloc.h>
38	#include <errno.h>
39	#include <stdint.h>
40	#include <sys/resource.h>
41	#include <libc-diag.h>
42	#include <support/check.h>
43	#include <unistd.h>
44	#include <sys/param.h>
45
46	#include "tst-malloc-aux.h"
47
48	/ This function prepares for each 'too-large memory allocation' test by*
49	performing a small successful malloc/free and resetting errno prior to
50	the actual test. /*
51	static void
52	test_setup (void)
53	{
54	void *volatile ptr = malloc (`16`);
55	TEST_VERIFY_EXIT (ptr != NULL);
56	free (ptr: ptr);
57	errno = `0`;
58	}
59
60
61	/ This function tests each of:*
62	- malloc (SIZE)
63	- realloc (PTR_FOR_REALLOC, SIZE)
64	- for various values of NMEMB:
65	- calloc (NMEMB, SIZE/NMEMB)
66	- calloc (SIZE/NMEMB, NMEMB)
67	- reallocarray (PTR_FOR_REALLOC, NMEMB, SIZE/NMEMB)
68	- reallocarray (PTR_FOR_REALLOC, SIZE/NMEMB, NMEMB)
69	and precedes each of these tests with a small malloc/free before it. /*
70	static void
71	test_large_allocations (size_t size)
72	{
73	void * ptr_to_realloc;
74
75	test_setup ();
76	DIAG_PUSH_NEEDS_COMMENT;
77	#if __GNUC_PREREQ (7, 0)
78	/ GCC 7 warns about too-large allocations; here we want to test*
79	that they fail. /*
80	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
81	#endif
82	TEST_VERIFY (malloc (size) == NULL);
83	#if __GNUC_PREREQ (7, 0)
84	DIAG_POP_NEEDS_COMMENT;
85	#endif
86	TEST_VERIFY (errno == ENOMEM);
87
88	ptr_to_realloc = malloc (`16`);
89	TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
90	test_setup ();
91	#if __GNUC_PREREQ (7, 0)
92	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
93	#endif
94	TEST_VERIFY (realloc (ptr_to_realloc, size) == NULL);
95	#if __GNUC_PREREQ (7, 0)
96	DIAG_POP_NEEDS_COMMENT;
97	#endif
98	TEST_VERIFY (errno == ENOMEM);
99	#if __GNUC_PREREQ (12, 0)
100	/ Ignore a warning about using a pointer made indeterminate by*
101	a prior call to realloc(). /*
102	DIAG_IGNORE_NEEDS_COMMENT (`12`, "-Wuse-after-free");
103	#endif
104	free (ptr: ptr_to_realloc);
105	#if __GNUC_PREREQ (12, 0)
106	DIAG_POP_NEEDS_COMMENT;
107	#endif
108
109	for (size_t nmemb = `1`; nmemb <= `8`; nmemb *= `2`)
110	if ((size % nmemb) == `0`)
111	{
112	test_setup ();
113	TEST_VERIFY (calloc (nmemb, size / nmemb) == NULL);
114	TEST_VERIFY (errno == ENOMEM);
115
116	test_setup ();
117	TEST_VERIFY (calloc (size / nmemb, nmemb) == NULL);
118	TEST_VERIFY (errno == ENOMEM);
119
120	ptr_to_realloc = malloc (`16`);
121	TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
122	test_setup ();
123	TEST_VERIFY (reallocarray (ptr_to_realloc, nmemb, size / nmemb) == NULL);
124	TEST_VERIFY (errno == ENOMEM);
125	#if __GNUC_PREREQ (12, 0)
126	/ Ignore a warning about using a pointer made indeterminate by*
127	a prior call to realloc(). /*
128	DIAG_IGNORE_NEEDS_COMMENT (`12`, "-Wuse-after-free");
129	#endif
130	free (ptr: ptr_to_realloc);
131	#if __GNUC_PREREQ (12, 0)
132	DIAG_POP_NEEDS_COMMENT;
133	#endif
134
135	ptr_to_realloc = malloc (`16`);
136	TEST_VERIFY_EXIT (ptr_to_realloc != NULL);
137	test_setup ();
138	TEST_VERIFY (reallocarray (ptr_to_realloc, size / nmemb, nmemb) == NULL);
139	TEST_VERIFY (errno == ENOMEM);
140	#if __GNUC_PREREQ (12, 0)
141	/ Ignore a warning about using a pointer made indeterminate by*
142	a prior call to realloc(). /*
143	DIAG_IGNORE_NEEDS_COMMENT (`12`, "-Wuse-after-free");
144	#endif
145	free (ptr: ptr_to_realloc);
146	#if __GNUC_PREREQ (12, 0)
147	DIAG_POP_NEEDS_COMMENT;
148	#endif
149	}
150	else
151	break;
152	}
153
154
155	static long pagesize;
156
157	/ This function tests the following aligned memory allocation functions*
158	using several valid alignments and precedes each allocation test with a
159	small malloc/free before it:
160	memalign, posix_memalign, aligned_alloc, valloc, pvalloc. /*
161	static void
162	test_large_aligned_allocations (size_t size)
163	{
164	/ ptr stores the result of posix_memalign but since all those calls*
165	should fail, posix_memalign should never change ptr. We set it to
166	NULL here and later on we check that it remains NULL after each
167	posix_memalign call. /*
168	void * ptr = NULL;
169
170	size_t align;
171
172	/ All aligned memory allocation functions expect an alignment that is a*
173	power of 2. Given this, we test each of them with every valid
174	alignment from 1 thru PAGESIZE. /*
175	for (align = `1`; align <= pagesize; align *= `2`)
176	{
177	test_setup ();
178	#if __GNUC_PREREQ (7, 0)
179	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
180	#endif
181	TEST_VERIFY (memalign (align, size) == NULL);
182	#if __GNUC_PREREQ (7, 0)
183	DIAG_POP_NEEDS_COMMENT;
184	#endif
185	TEST_VERIFY (errno == ENOMEM);
186
187	/ posix_memalign expects an alignment that is a power of 2 and a*
188	multiple of sizeof (void ). /
189	if ((align % sizeof (void *)) == `0`)
190	{
191	test_setup ();
192	TEST_VERIFY (posix_memalign (&ptr, align, size) == ENOMEM);
193	TEST_VERIFY (ptr == NULL);
194	}
195
196	/ aligned_alloc expects a size that is a multiple of alignment. /
197	if ((size % align) == `0`)
198	{
199	test_setup ();
200	#if __GNUC_PREREQ (7, 0)
201	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
202	#endif
203	TEST_VERIFY (aligned_alloc (align, size) == NULL);
204	#if __GNUC_PREREQ (7, 0)
205	DIAG_POP_NEEDS_COMMENT;
206	#endif
207	TEST_VERIFY (errno == ENOMEM);
208	}
209	}
210
211	/ Both valloc and pvalloc return page-aligned memory. /
212
213	test_setup ();
214	#if __GNUC_PREREQ (7, 0)
215	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
216	#endif
217	TEST_VERIFY (valloc (size) == NULL);
218	#if __GNUC_PREREQ (7, 0)
219	DIAG_POP_NEEDS_COMMENT;
220	#endif
221	TEST_VERIFY (errno == ENOMEM);
222
223	test_setup ();
224	#if __GNUC_PREREQ (7, 0)
225	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
226	#endif
227	TEST_VERIFY (pvalloc (size) == NULL);
228	#if __GNUC_PREREQ (7, 0)
229	DIAG_POP_NEEDS_COMMENT;
230	#endif
231	TEST_VERIFY (errno == ENOMEM);
232	}
233
234
235	#define FOURTEEN_ON_BITS ((1UL << 14) - 1)
236	#define FIFTY_ON_BITS ((1UL << 50) - 1)
237
238
239	static int
240	do_test (void)
241	{
242
243	#if __WORDSIZE >= 64
244
245	/ This test assumes that none of the supported targets have an address*
246	bus wider than 50 bits, and that therefore allocations for sizes wider
247	than 50 bits will fail. Here, we ensure that the assumption continues
248	to be true in the future when we might have address buses wider than 50
249	bits. /*
250
251	struct rlimit alloc_size_limit
252	= {
253	.rlim_cur = FIFTY_ON_BITS,
254	.rlim_max = FIFTY_ON_BITS
255	};
256
257	setrlimit (RLIMIT_AS, rlimits: &alloc_size_limit);
258
259	#endif /* __WORDSIZE >= 64 */
260
261	DIAG_PUSH_NEEDS_COMMENT;
262	#if __GNUC_PREREQ (7, 0)
263	/ GCC 7 warns about too-large allocations; here we want to test*
264	that they fail. /*
265	DIAG_IGNORE_NEEDS_COMMENT (`7`, "-Walloc-size-larger-than=");
266	#endif
267
268	/ Aligned memory allocation functions need to be tested up to alignment*
269	size equivalent to page size, which should be a power of 2. /*
270	pagesize = sysconf (_SC_PAGESIZE);
271	TEST_VERIFY_EXIT (powerof2 (pagesize));
272
273	/ Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.*
274	in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
275
276	We can expect that this range of allocation sizes will always lead to
277	an allocation failure on both 64 and 32 bit targets, because:
278
279	1. no currently supported 64-bit target has an address bus wider than
280	50 bits -- and (2^64 - 2^14) is much wider than that;
281
282	2. on 32-bit targets, even though 2^32 is only 4 GB and potentially
283	addressable, glibc itself is more than 2^14 bytes in size, and
284	therefore once glibc is loaded, less than (2^32 - 2^14) bytes remain
285	available. /*
286
287	for (size_t i = `0`; i <= FOURTEEN_ON_BITS; i++)
288	{
289	test_large_allocations (SIZE_MAX - i);
290	test_large_aligned_allocations (SIZE_MAX - i);
291	}
292
293	/ Allocation larger than PTRDIFF_MAX does play well with C standard,*
294	since pointer subtraction within the object might overflow ptrdiff_t
295	resulting in undefined behavior. To prevent it malloc function fail
296	for such allocations. /*
297	for (size_t i = `1`; i <= FOURTEEN_ON_BITS; i++)
298	{
299	test_large_allocations (PTRDIFF_MAX + i);
300	test_large_aligned_allocations (PTRDIFF_MAX + i);
301	}
302
303	#if __WORDSIZE >= 64
304	/ On 64-bit targets, we need to test a much wider range of too-large*
305	sizes, so we test at intervals of (1 << 50) that allocation sizes
306	ranging from SIZE_MAX down to (1 << 50) fail:
307	The 14 MSBs are decremented starting from "all ON" going down to 1,
308	the 50 LSBs are "all ON" and then "all OFF" during every iteration. /*
309	for (size_t msbs = FOURTEEN_ON_BITS; msbs >= `1`; msbs--)
310	{
311	size_t size = (msbs << `50`) \| FIFTY_ON_BITS;
312	test_large_allocations (size);
313	test_large_aligned_allocations (size);
314
315	size = msbs << `50`;
316	test_large_allocations (size);
317	test_large_aligned_allocations (size);
318	}
319	#endif /* __WORDSIZE >= 64 */
320
321	DIAG_POP_NEEDS_COMMENT;
322
323	return `0`;
324	}
325
326
327	#include <support/test-driver.c>
328

source code of glibc/malloc/tst-malloc-too-large.c