Page History

If ptr was allocated with an alignment returned from Do not modify the alignment of space allocated by aligned_alloc() and realloc() reallocates memory with a different alignment, the behavior is undefined. This aligned_alloc()function was introduced in the C11 standard by calling realloc().

Noncompliant Code Example

This noncompliant code example aligns ptr returns a pointer to allocated memory that has been aligned to a 4096-byte boundary, whereas .  If the resize argument to the realloc() function aligns the memory to a suitable, but likely different, alignment:is larger than the space referenced by ptr, realloc() will allocate new memory that is suitably aligned so that it may be assigned to a pointer to any type of object with a fundamental alignment requirement, but may not preserve the stricter alignment requirements of the original space.

#include <stdlib.h>
 
void func(void) {
  size_t resize = 1024;
  size_t alignment = 1 << 12;
  int *ptr;
  int *ptr1;

  if ((ptr = aligned_alloc(alignment , sizeof(int))) == NULL) {
    /* Handle error */
  }

  if ((ptr1 = realloc(ptr, resize)) == NULL) {
    /* Handle error */
  }
}

...

Implementation Details

When compiled with GCC 4.1.2 and run on the x86_64 Red Hat Linux platform, the following code produces the following output:

CODE

#include <stdlib.h>
#include <stdio.h>

int main(void) {
  size_t  size = 16;
  size_t resize = 1024;
  size_t align = 1 << 12;
  int *ptr;
  int *ptr1;

  if (posix_memalign((void **)&ptr, align , size) != 0) {
    exit(EXIT_FAILURE);
  }

  printf("memory aligned to %d bytes\n", align);
  printf("ptr = %p\n\n", ptr);

  if ((ptr1 = realloc((int *)ptr, resize)) == NULL) {
    exit(EXIT_FAILURE);
  }

  puts("After realloc(): \n");
  printf("ptr1 = %p\n", ptr1);

  free(ptr1);
  return 0;
}

OUTPUT

memory aligned to 4096 bytes
ptr = 0x1621b000

After realloc():
ptr1 = 0x1621a010

ptr1 is no longer aligned to 4096 bytes.

Compliant Solution

This compliant solution implements an aligned realloc() function. It solution  allocates resize bytes of new memory with the same alignment as the old memory and then moves the old memory there, , copies the original memory content, and then frees the old memory:

#include <stdlib.h>
 
void func(void) {
  size_t resize = 1024;
  size_t alignment = 1 << 12;
  int *ptr;
  int *ptr1;

  if ((ptr = aligned_alloc(alignment, sizeof(int))) == NULL) {
    /* Handle error */
  }

  if ((ptr1 = aligned_alloc(alignment, resize)) == NULL) {
    /* Handle error */
  }

  if ((memcpy(ptr1, ptr, sizeof(int)) == NULL) {
    /* Handle error */
  }

  free(ptr);
}

Compliant Solution (Windows)

On Windows, aligned allocations happen via calls to Windows defines the _aligned_malloc() and can be reallocated with calls to  to allocate memory on a specified alignment boundary.  The _aligned_realloc()[MSDN] can be used to change the size of this memory. This compliant solution demonstrates one such usage:

#include <malloc.h>
 
void func(void) {
  size_t alignment = 1 << 12;
  int *ptr;
  int *ptr1;
 
  /* Original allocation */
  if ((ptr = _aligned_malloc(sizeof(int), alignment))
      == NULL) {
    /* Handle error */
  }
 
  /* Reallocation */
  if ((ptr1 = _aligned_realloc(ptr, 1024, alignment))
      == NULL) {
    _aligned_free(ptr);
    /* Handle error */
  }

  _aligned_free(ptr1);
}

Note that on Windows, the size and alignment arguments for _aligned_malloc() takes the size and alignment arguments are provided in reverse order from of the C 's Standard aligned_alloc() function. 

Risk Assessment

Improper alignment can lead to arbitrary memory locations being accessed and written to.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography