[Bug 290409] dd(1) integer and Heap Overflow

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 290409] DD integer and Heap Overflow"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 22 Oct 2025 13:37:39 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290409

Dag-Erling Smørgrav <des@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Closed
         Resolution|---                         |Works As Intended
                 CC|                            |des@FreeBSD.org

--- Comment #1 from Dag-Erling Smørgrav <des@FreeBSD.org> ---
(In reply to Igor Gabriel S. Souza from comment #0)
> The values `in.dbsz` and `out.dbsz` come from command-line arguments
> (`ibs=`, `obs=`, or `bs=`).
>
> Both are `size_t`, but they can be assigned from an integer without
> validation, coming from argv parsing.

Validation is performed in f_bs(), f_ibs() and f_obs() in bin/dd/args.c.

> The calculation `(size_t)out.dbsz + in.dbsz - 1` can exceed
> `SIZE_MAX`, which causes an arithmetic overflow and the result wraps
> to a small value — `malloc()` then allocates less memory than the code
> expects.

Both variables are constrained to SSIZE_MAX (2^63 - 1), therefore their
sum cannot exceed SIZE_MAX - 1 (2^64 - 2).

> root@igor:~ # valgrind dd if=infile of=outfile ibs=9223372036854775800 obs=9223372036854775800
> [...]
> dd: input buffer: Cannot allocate memory
> [...]
> This confirms heap corruption.

No, it means that dd tried to allocate more memory than is possible and
malloc() returned NULL.  You can confirm this with ktrace:

% MALLOC_CONF=utrace:true ktrace dd if=/boot/CRASH/kernel of=/dev/zero
ibs=9223372036854775800 obs=9223372036854775800
dd: input buffer: Cannot allocate memory
% kdump | grep malloc
 66287 dd       NAMI  "/etc/malloc.conf"
 66287 dd       USER  0x3dcfc8c08000 = malloc(128)
 66287 dd       USER  0x3dcfc8c09600 = malloc(104160)
 66287 dd       USER  0x3dcfc8c26000 = malloc(22)
 66287 dd       USER  0x3dcfc8c27000 = malloc(13)
 66287 dd       USER  0x3dcfc8c26020 = malloc(24)
 66287 dd       USER  0x3dcfc8c26040 = malloc(24)
 66287 dd       USER  0x0 = malloc(18446744073709551599)
 66287 dd       USER  0x3dcfc8c28000 = malloc(2)
 66287 dd       USER  0x3dcfc8c29000 = malloc(104)
 66287 dd       USER  0x3dcfc8c30000 = malloc(56)
 66287 dd       USER  0x3dcfc8c28000 = malloc(5)
 66287 dd       USER  0x3dcfc8c28008 = malloc(2)

-- 
You are receiving this mail because:
You are the assignee for the bug.