Bug#192178: libc6-dev: linking with libmcheck makes output of malloc_usable_size() garbage
Package: libc6-dev
Version: 2.3.1-16
Severity: normal
proof of concept code:
#include <malloc.h>
#include <stdio.h>
#include <stdlib.h>
#include <mcheck.h>
// On my system, size_t is an unsigned int.
int main(void)
{
char *p = (char *) malloc(sizeof(char));
if (p == NULL)
abort();
printf("I requested %u bytes.\n", sizeof(char));
printf("p was allocated %u bytes.\n", malloc_usable_size(p));
return 0;
}
output compiled without -lmcheck:
$ gcc -W -Wall try.c
$ ./a.out
I requested 1 bytes.
p was allocated 12 bytes.
output compiled with -lmcheck:
$ gcc -W -Wall try.c -lmcheck
$ ./a.out
I requested 1 bytes.
p was allocated 4141754496 bytes.
the output of malloc_usable_size() is garbage when you link with
-lmcheck. i only WISH i had 4141754496 bytes of memory! ;-)
i think this could conceivably be a security risk for software that
relies on malloc_usable_size() to determine the size of a buffer passed
to a function. bad practise, but i've seen people do this.
pete
-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux satan 2.4.20 #4 SMP Mon Mar 24 08:52:15 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages libc6-dev depends on:
hi libc6 2.3.1-16 GNU C Library: Shared libraries an
Reply to: