[LLVMbugs] [Bug 6687] New: operator new should check for integer overflows

[bugzilla-daemon at llvm.org]

http://llvm.org/bugs/show_bug.cgi?id=6687

           Summary: operator new should check for integer overflows
           Product: clang
           Version: trunk
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: C++
        AssignedTo: unassignedclangbugs at nondot.org
        ReportedBy: felix-llvm at fefe.de
                CC: llvmbugs at cs.uiuc.edu, dgregor at apple.com


A common security problem in C++ code is operator new for arrays.
For example:

  int* i=new int[some_untrusted_size_t];

operator new takes a single size_t argument, so the compiler generates code at
this point that will multiply some_untrusted_size_t by sizeof(int) and pass the
result to operator new.

Now, if sizeof(int)==4 and some_untrusted_size_t==0x40000000, for example, then
the multiplication results does not fit into a size_t and is truncated.  This
leads not only to bugs, but to security vulnerabilities that allow the whole
process to be taken over.

Therefore I propose that clang generates code that checks for overflows here
and do the right thing (depending on which operator new is used, either throw
and exception or return NULL).

The easiest way to do this is to do what Microsoft Visual C++ does: it
multiplies, and then, if the overflow bit is set (on x86/x86-64), it passes
(size_t)-1 to operator new, which will cause it to fail.  This can still cause
issues when the user wrote their own operator new that rounds up or adds a
margin without checking for integer overflow, but that is then the user's
fault, not the compiler's, and it is done explicitly, so it is easier to spot
and fix.

-- 
Configure bugmail: http://llvm.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.