[PATCH] unwind_prot.c: Avoid buffer overflow

[Jessica Clarke]

In unwind_protect_mem_internal, we must make sure to allocate at least a
full UNWIND_ELT, even if the required size for desired_setting is less
than the remaining padding in UNWIND_ELT. Otherwise when we come to
memset it with 0xdf in unwind_frame_discard_internal we will overflow
the allocation.

On existing 32-bit and 64-bit architectures, this padding happens to be
only 4 bytes, and no users of this function call it with a size smaller
than 4 (unwind_protect_short and unwind_protect_string are both
currently unused). However, we should not rely on this as this could
change in future. Moreover on CHERI-RISC-V, pointers are replaced with
capabilities, 16-byte fat pointers, and the padding now ends up being 12
bytes, violating this assumption, but also trapping on this detected
buffer overflow by virtue of its fine-grained bounds.
---
 unwind_prot.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/unwind_prot.c b/unwind_prot.c
index c9196dc1..37429924 100644
--- a/unwind_prot.c
+++ b/unwind_prot.c
@@ -349,6 +349,8 @@ unwind_protect_mem_internal (var, psize)
 
   size = *(int *) psize;
   allocated = size + offsetof (UNWIND_ELT, sv.v.desired_setting[0]);
+  if (allocated < sizeof (UNWIND_ELT))
+    allocated = sizeof (UNWIND_ELT);
   elt = (UNWIND_ELT *)xmalloc (allocated);
   elt->head.next = unwind_protect_list;
   elt->head.cleanup = (Function *) restore_variable;
-- 
2.20.1