Skip to content

πŸ”’ Fix integer overflow in malloc alignment calculation#20

Closed
undivisible wants to merge 1 commit into
mainfrom
fix-malloc-integer-overflow-18437292978828511348
Closed

πŸ”’ Fix integer overflow in malloc alignment calculation#20
undivisible wants to merge 1 commit into
mainfrom
fix-malloc-integer-overflow-18437292978828511348

Conversation

@undivisible

@undivisible undivisible commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🎯 What: The malloc function in kernel/libc.in had an integer overflow vulnerability in its alignment calculation.
⚠️ Risk: If n was very large, n+7 could overflow to a small or negative value, resulting in a small allocation when a large one was requested, potentially leading to heap corruption or out-of-bounds writes.
πŸ›‘οΈ Solution: Added a bounds check ensuring that n >= 0 and n <= 0x7FFFFFFFFFFFFFF0. If the bounds are violated, malloc safely returns 0 (NULL). Added tests to libc_selftest to ensure negative values and values causing overflow return 0.

PR created automatically by Jules for task 18437292978828511348 started by @undivisible

@undivisible @google-labs-jules
πŸ”’ Fix integer overflow in malloc alignment calculation
508490c 
Added bounds checking to `malloc` to prevent `n + 7` from overflowing
when `n` is very large, which could result in an undersized allocation.
Also added corresponding test cases to `libc_selftest`.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

undivisible added a commit that referenced this pull request Jun 29, 2026
@undivisible
fix: merge clean PRs and libc/allocator security batch
22933b8 
- Fix stray brace in kernel-root.in and remove dead thr_exit return
- Add heap/obj_arena bounds checks (PRs #30, #26)
- Harden malloc/calloc/realloc; replace strcpy with strlcpy; remove strcat
  (PRs #20, #18, #21, #28, #15)
- Split nvme_pci_init, restore e1000_rx_poll, use FS_MAX_FILES constants
  (PRs #14, #17, #16)
- Refresh context.md ponytail index after service-wrapper deletion
@undivisible

undivisible commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Changes applied directly on main (rebased past shell.in extraction and service-wrapper deletion). Used panic() instead of unreachable()/assert() where the PRs referenced undefined helpers.

@undivisible

undivisible commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Merged to main in 22933b8. Changes applied directly on main (rebased past shell.in extraction and service-wrapper deletion). Used panic() instead of unreachable()/assert() where the PRs referenced undefined helpers.

@undivisible undivisible mentioned this pull request Jun 29, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@undivisible