Merge 9ca3279507 into d4e40af550

C23 declared calling realloc(3) with a non-NULL pointer and zero size
Undefined behavior.
Check that hardened_malloc handles that case sanely by free'ing the old
pointer and returning a special pointer, like `malloc(3)` called with
size zero.

LICENSE

@@ -1,4 +1,4 @@
-Copyright © 2018-2025 GrapheneOS
+Copyright © 2018-2026 GrapheneOS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -83,7 +83,7 @@ there will be custom integration offering better performance in the future
 along with other hardening for the C standard library implementation.
 
 For Android, only the current generation, actively developed maintenance branch of the Android
-Open Source Project will be supported, which currently means `android16-qpr1-release`.
+Open Source Project will be supported, which currently means `android16-qpr2-release`.
 
 ## Testing
 

test/.gitignore

@@ -41,4 +41,7 @@ overflow_small_8_byte
 uninitialized_read_large
 uninitialized_read_small
 realloc_init
+realloc_c23_undefined_behaviour
+realloc_c23_undefined_behaviour_double_free
+realloc_c23_undefined_behaviour_use_after_free
 __pycache__/

test/Makefile

@@ -67,7 +67,10 @@ EXECUTABLES := \
     invalid_malloc_object_size_small \
     invalid_malloc_object_size_small_quarantine \
     impossibly_large_malloc \
-    realloc_init
+    realloc_init \
+    realloc_c23_undefined_behaviour \
+    realloc_c23_undefined_behaviour_double_free \
+    realloc_c23_undefined_behaviour_use_after_free
 
 all: $(EXECUTABLES)
 

test/realloc_c23_undefined_behaviour.c

@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p, *q, *r;
+
+    p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+
+    q = realloc(p, 0);
+
+    free(q);
+
+    return 0;
+}

test/realloc_c23_undefined_behaviour_double_free.c

@@ -0,0 +1,19 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p, *q, *r;
+
+    p = malloc(16);
+    if (!p) {
+        return 1;
+    }
+
+    q = realloc(p, 0);
+
+    free(p);
+
+    return 0;
+}

test/realloc_c23_undefined_behaviour_use_after_free.c

@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "test_util.h"
+
+OPTNONE int main(void) {
+    char *p, *q, *r;
+
+    p = malloc(256 * 1024);
+    if (!p) {
+        return 1;
+    }
+
+    q = realloc(p, 0);
+
+    printf("%c\n", *p);
+
+    free(q);
+
+    return 0;
+}

test/test_smc.py

@@ -169,6 +169,20 @@ class TestSimpleMemoryCorruption(unittest.TestCase):
         self.assertEqual(stderr.decode("utf-8"),
                          "fatal allocator error: invalid realloc\n")
 
+    def test_realloc_c23_undefined_behaviour(self):
+        _stdout, stderr, returncode = self.run_test("realloc_c23_undefined_behaviour")
+        self.assertEqual(returncode, 0)
+
+    def test_realloc_c23_undefined_behaviour_double_free(self):
+        _stdout, stderr, returncode = self.run_test("realloc_c23_undefined_behaviour_double_free")
+        self.assertEqual(returncode, -6)
+        self.assertEqual(stderr.decode("utf-8"),
+                         "fatal allocator error: double free (quarantine)\n")
+
+    def test_realloc_c23_undefined_behaviour_use_after_free(self):
+        _stdout, stderr, returncode = self.run_test("realloc_c23_undefined_behaviour_use_after_free")
+        self.assertEqual(returncode, -11)
+
     def test_write_after_free_large_reuse(self):
         _stdout, _stderr, returncode = self.run_test(
             "write_after_free_large_reuse")