Fix wrong zmalloc_size() assumption. (#7963)

When using a system with no malloc_usable_size(), zmalloc_size() assumed that the heap allocator always returns blocks that are long-padded. This may not always be the case, and will result with zmalloc_size() returning a size that is bigger than allocated. At least in one case this leads to out of bound write, process crash and a potential security vulnerability. Effectively this does not affect the vast majority of users, who use jemalloc or glibc. This problem along with a (different) fix was reported by Drew DeVault. (cherry picked from commit 9824fe3e392caa04dc1b4071886e9ac402dd6d95)
author: Yossi Gottlieb <yossigo@gmail.com> 2020-10-26 14:49:08 +0200
committer: Oran Agra <oran@redislabs.com> 2020-10-27 09:12:01 +0200
commit: 3cc673bdd87d7d31bae0b4288b29e1c163981416 (patch)
tree: 6b92452082c32b03ec39a142922ab7468db34cc9
parent: de0919cd621766932f88fd4463b05cb1fa9addf9 (diff)
download: redis-3cc673bdd87d7d31bae0b4288b29e1c163981416.tar.gz
1 files changed, 0 insertions, 3 deletions
diff --git a/src/zmalloc.c b/src/zmalloc.c
index 2645432b6..d693aac1c 100644
--- a/src/zmalloc.c
+++ b/src/zmalloc.c
@@ -181,9 +181,6 @@ void *zrealloc(void *ptr, size_t size) {
 size_t zmalloc_size(void *ptr) {
     void *realptr = (char*)ptr-PREFIX_SIZE;
     size_t size = *((size_t*)realptr);
-    /* Assume at least that all the allocations are padded at sizeof(long) by
-     * the underlying allocator. */
-    if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1));
     return size+PREFIX_SIZE;
 }
 size_t zmalloc_usable(void *ptr) {
author	Yossi Gottlieb <yossigo@gmail.com>	2020-10-26 14:49:08 +0200
committer	Oran Agra <oran@redislabs.com>	2020-10-27 09:12:01 +0200
commit	3cc673bdd87d7d31bae0b4288b29e1c163981416 (patch)
tree	6b92452082c32b03ec39a142922ab7468db34cc9
parent	de0919cd621766932f88fd4463b05cb1fa9addf9 (diff)
download	redis-3cc673bdd87d7d31bae0b4288b29e1c163981416.tar.gz