Title
polymorphic_allocator::allocate should not allow integer overflow to create vulnerabilities
Status
wp
Section
[mem.poly.allocator.mem]
Submitter
Billy O'Neal III

Created on 2017-11-16.00:00:00, last changed 2018-11-12.04:39:29.

Messages

Date: 2018-11-12.04:39:29

Proposed resolution:

Wording relative to N4762.

  1. Edit [mem.poly.allocator.mem] as indicated:

    Tp* allocate(size_t n);
    

    -1- Effects: If SIZE_MAX / sizeof(Tp) < n, throws length_error. Otherwise Eequivalent to:

    return static_cast<Tp*>(memory_rsrc->allocate(n * sizeof(Tp), alignof(Tp)));
    
Date: 2018-11-12.04:39:29

[ 2018-11, Adopted in San Diego ]

Date: 2018-08-23.00:00:00

[ 2018-08-23 Batavia Issues processing ]

Status to Tentatively Ready with updated wording

Previous resolution [SUPERSEDED]:

Wording relative to N4762.

  1. Edit [mem.poly.allocator.mem] as indicated:

    Tp* allocate(size_t n);
    

    -1- Effects: If SIZE_MAX / sizeof(Tp) < n, throws length_error, then Eequivalent to:

    return static_cast<Tp*>(memory_rsrc->allocate(n * sizeof(Tp), alignof(Tp)));
    
Date: 2018-08-13.20:00:21

[ 2018-06 Rapperswil Thursday issues processing ]

Consensus was that the overflow should be detected and an exception thrown rather than leaving that to the underlying memory resource. Billy to reword, and then get feedback on the reflector. Status to Open.

Previous resolution [SUPERSEDED]:

Wording relative to N4700.

  1. Edit [mem.poly.allocator.mem] as indicated:

    Tp* allocate(size_t n);
    

    -1- ReturnsEffects: Equivalent to

    return static_cast<Tp*>(memory_rsrc->allocate(SIZE_MAX / sizeof(Tp) < n ? SIZE_MAX : n * sizeof(Tp), alignof(Tp)));
    
Date: 2017-11-16.00:00:00

At the moment polymorphic_allocator is specified to do sizeof(T) * n directly; this may allow an attacker to cause this calculation to overflow, resulting in allocate() not meeting its postcondition of returning a buffer suitable to store n copies of T; this is a common bug described in CWE-190.

Making this into a saturating multiply should be sufficient to avoid this problem; any memory_resource underneath polymorphic_allocator is going to have to throw bad_alloc (or another exception) for a request of SIZE_MAX.

(There's also a minor editorial thing here that Returns should be Effects)

History
Date User Action Args
2018-11-12 04:39:29adminsetmessages: + msg10190
2018-11-12 04:39:29adminsetstatus: voting -> wp
2018-10-08 05:13:59adminsetstatus: ready -> voting
2018-08-24 13:31:33adminsetmessages: + msg10126
2018-08-24 13:31:33adminsetstatus: open -> ready
2018-06-12 04:35:59adminsetstatus: new -> open
2017-11-24 19:51:07adminsetmessages: + msg9568
2017-11-17 22:08:52adminsetmessages: + msg9564
2017-11-16 00:00:00admincreate