Avoid use of atoi in malloc

Message ID	3ae9534d-e31-95ee-25ea-93707dddf34a@codesourcery.com
State	New
Headers	show Return-Path: <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org> DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C7FB73858D1E IronPort-SDR: qFbfGORXX+qf68lrWJUG+BM4yaBOWPqz1P2nigkmo1bT6H/h89oTgIGuuyNPrIZchjzv6eN/Mh bJUoxV6HcZpEojEo1jLrK8iz6/E3rc05fwNFDhJLTihqV6hUyxSYmv25zgWaFajMm1sUziMUXF 45/u2IG2GseXLasddk18MInn8liF2IgVHwO5SpXLgmG6GL6iP7e+6Mtb9g83aG9GKEkroBqUav 6OSh3sLY+ifta1F3nsv0ZTVos2ZM1vVfnRdD+rdzRPr96lOi/Fj6IF9gejbAXIRYwteefk/5Az hfw= Date: Thu, 22 Dec 2022 16:29:02 +0000 From: Joseph Myers <joseph@codesourcery.com> To: <libc-alpha@sourceware.org> Subject: Avoid use of atoi in malloc Message-ID: <3ae9534d-e31-95ee-25ea-93707dddf34a@codesourcery.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Precedence: list Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>
Series	Avoid use of atoi in malloc \| expand Avoid use of atoi in malloc

Message ID

3ae9534d-e31-95ee-25ea-93707dddf34a@codesourcery.com

State

New

Headers

DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C7FB73858D1E
IronPort-SDR: 
 qFbfGORXX+qf68lrWJUG+BM4yaBOWPqz1P2nigkmo1bT6H/h89oTgIGuuyNPrIZchjzv6eN/Mh
 bJUoxV6HcZpEojEo1jLrK8iz6/E3rc05fwNFDhJLTihqV6hUyxSYmv25zgWaFajMm1sUziMUXF
 45/u2IG2GseXLasddk18MInn8liF2IgVHwO5SpXLgmG6GL6iP7e+6Mtb9g83aG9GKEkroBqUav
 6OSh3sLY+ifta1F3nsv0ZTVos2ZM1vVfnRdD+rdzRPr96lOi/Fj6IF9gejbAXIRYwteefk/5Az
 hfw=
Date: Thu, 22 Dec 2022 16:29:02 +0000
From: Joseph Myers <joseph@codesourcery.com>
To: <libc-alpha@sourceware.org>
Subject: Avoid use of atoi in malloc
Message-ID: <3ae9534d-e31-95ee-25ea-93707dddf34a@codesourcery.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Precedence: list
Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>

Series

Avoid use of atoi in malloc | expand

Commit Message

Joseph Myers Dec. 22, 2022, 4:29 p.m. UTC

This patch is analogous to commit
a3708cf6b0a5a68e2ed1ce3db28a03ed21d368d2.

atoi has undefined behavior on out-of-range input, which makes it
problematic to use anywhere in glibc that might be processing input
out-of-range for atoi but not specified to produce undefined behavior
for the function calling atoi.  In conjunction with the C2x strtol
changes, use of atoi in libc can also result in localplt test failures
because the redirection for strtol does not interact properly with the
libc_hidden_proto call for __isoc23_strtol for the call in the inline
atoi implementation.

In malloc/arena.c, this issue shows up for atoi calls that are only
compiled for --disable-tunables (thus with the
x86_64-linux-gnu-minimal configuration of build-many-glibcs.py, for
example).  Change those atoi calls to use strtol directly, as in the
previous such changes.

Tested for x86_64 (--disable-tunables).

Comments

Noah Goldstein Dec. 22, 2022, 6:19 p.m. UTC | #1

On Thu, Dec 22, 2022 at 8:29 AM Joseph Myers <joseph@codesourcery.com> wrote:
>
> This patch is analogous to commit
> a3708cf6b0a5a68e2ed1ce3db28a03ed21d368d2.
>
> atoi has undefined behavior on out-of-range input, which makes it
> problematic to use anywhere in glibc that might be processing input
> out-of-range for atoi but not specified to produce undefined behavior
> for the function calling atoi.  In conjunction with the C2x strtol
> changes, use of atoi in libc can also result in localplt test failures
> because the redirection for strtol does not interact properly with the
> libc_hidden_proto call for __isoc23_strtol for the call in the inline
> atoi implementation.
>
> In malloc/arena.c, this issue shows up for atoi calls that are only
> compiled for --disable-tunables (thus with the
> x86_64-linux-gnu-minimal configuration of build-many-glibcs.py, for
> example).  Change those atoi calls to use strtol directly, as in the
> previous such changes.
>
> Tested for x86_64 (--disable-tunables).
>
> diff --git a/malloc/arena.c b/malloc/arena.c
> index f381f18371..840129e956 100644
> --- a/malloc/arena.c
> +++ b/malloc/arena.c
> @@ -386,34 +386,39 @@ ptmalloc_init (void)
>                if (!__builtin_expect (__libc_enable_secure, 0))
>                  {
>                    if (memcmp (envline, "TOP_PAD_", 8) == 0)
> -                    __libc_mallopt (M_TOP_PAD, atoi (&envline[9]));
> +                    __libc_mallopt (M_TOP_PAD, strtol (&envline[9], NULL, 10));
>                    else if (memcmp (envline, "PERTURB_", 8) == 0)
> -                    __libc_mallopt (M_PERTURB, atoi (&envline[9]));
> +                    __libc_mallopt (M_PERTURB, strtol (&envline[9], NULL, 10));
>                  }
>                break;
>              case 9:
>                if (!__builtin_expect (__libc_enable_secure, 0))
>                  {
>                    if (memcmp (envline, "MMAP_MAX_", 9) == 0)
> -                    __libc_mallopt (M_MMAP_MAX, atoi (&envline[10]));
> +                    __libc_mallopt (M_MMAP_MAX, strtol (&envline[10],
> +                                                       NULL, 10));
>                    else if (memcmp (envline, "ARENA_MAX", 9) == 0)
> -                    __libc_mallopt (M_ARENA_MAX, atoi (&envline[10]));
> +                    __libc_mallopt (M_ARENA_MAX, strtol (&envline[10],
> +                                                        NULL, 10));
>                  }
>                break;
>              case 10:
>                if (!__builtin_expect (__libc_enable_secure, 0))
>                  {
>                    if (memcmp (envline, "ARENA_TEST", 10) == 0)
> -                    __libc_mallopt (M_ARENA_TEST, atoi (&envline[11]));
> +                    __libc_mallopt (M_ARENA_TEST, strtol (&envline[11],
> +                                                         NULL, 10));
>                  }
>                break;
>              case 15:
>                if (!__builtin_expect (__libc_enable_secure, 0))
>                  {
>                    if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
> -                    __libc_mallopt (M_TRIM_THRESHOLD, atoi (&envline[16]));
> +                    __libc_mallopt (M_TRIM_THRESHOLD, strtol (&envline[16],
> +                                                             NULL, 10));
>                    else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
> -                    __libc_mallopt (M_MMAP_THRESHOLD, atoi (&envline[16]));
> +                    __libc_mallopt (M_MMAP_THRESHOLD, strtol (&envline[16],
> +                                                             NULL, 10));
>                  }
>                break;
>              default:
>
> --
> Joseph S. Myers
> joseph@codesourcery.com

LGTM.

diff --git a/malloc/arena.c b/malloc/arena.c
index f381f18371..840129e956 100644
--- a/malloc/arena.c
+++ b/malloc/arena.c
@@ -386,34 +386,39 @@  ptmalloc_init (void)
               if (!__builtin_expect (__libc_enable_secure, 0))
                 {
                   if (memcmp (envline, "TOP_PAD_", 8) == 0)
-                    __libc_mallopt (M_TOP_PAD, atoi (&envline[9]));
+                    __libc_mallopt (M_TOP_PAD, strtol (&envline[9], NULL, 10));
                   else if (memcmp (envline, "PERTURB_", 8) == 0)
-                    __libc_mallopt (M_PERTURB, atoi (&envline[9]));
+                    __libc_mallopt (M_PERTURB, strtol (&envline[9], NULL, 10));
                 }
               break;
             case 9:
               if (!__builtin_expect (__libc_enable_secure, 0))
                 {
                   if (memcmp (envline, "MMAP_MAX_", 9) == 0)
-                    __libc_mallopt (M_MMAP_MAX, atoi (&envline[10]));
+                    __libc_mallopt (M_MMAP_MAX, strtol (&envline[10],
+							NULL, 10));
                   else if (memcmp (envline, "ARENA_MAX", 9) == 0)
-                    __libc_mallopt (M_ARENA_MAX, atoi (&envline[10]));
+                    __libc_mallopt (M_ARENA_MAX, strtol (&envline[10],
+							 NULL, 10));
                 }
               break;
             case 10:
               if (!__builtin_expect (__libc_enable_secure, 0))
                 {
                   if (memcmp (envline, "ARENA_TEST", 10) == 0)
-                    __libc_mallopt (M_ARENA_TEST, atoi (&envline[11]));
+                    __libc_mallopt (M_ARENA_TEST, strtol (&envline[11],
+							  NULL, 10));
                 }
               break;
             case 15:
               if (!__builtin_expect (__libc_enable_secure, 0))
                 {
                   if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
-                    __libc_mallopt (M_TRIM_THRESHOLD, atoi (&envline[16]));
+                    __libc_mallopt (M_TRIM_THRESHOLD, strtol (&envline[16],
+							      NULL, 10));
                   else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
-                    __libc_mallopt (M_MMAP_THRESHOLD, atoi (&envline[16]));
+                    __libc_mallopt (M_MMAP_THRESHOLD, strtol (&envline[16],
+							      NULL, 10));
                 }
               break;
             default:

Avoid use of atoi in malloc

Commit Message

Comments

Patch