GNU C Library Integer Overflow Vulnerability in Memory Alignment Functions Leading to Heap Corruption

A vulnerability exists in the GNU C Library (glibc) versions 2.30 to 2.42, where passing an excessively large alignment value to the memory alignment functions can cause an integer overflow. This overflow leads to heap corruption by allowing the allocation of a smaller buffer than intended, while the program writes heap metadata at incorrect, often far-off locations. The issue arises in the '_int_memalign' function within the malloc component, specifically when the alignment is set to 2^63 and the byte size is close to PTRDIFF_MAX, causing the calculated buffer size to wrap around to a tiny value. As a result, the memory allocator returns a small chunk, but the subsequent code writes headers based on the expected larger size, disrupting the memory management and potentially allowing for exploitation.

Impact

Exploitation of this vulnerability causes a segmentation fault (SIGSEGV) due to a violation of memory access rules, specifically in the '_int_memalign' function. This occurs because the heap metadata is incorrectly written beyond the allocated memory, leading to memory corruption.

Reproduction

The vulnerability can be reproduced by compiling a program that includes the standard library headers for memory management and integer types. The program should call 'posix_memalign' with an alignment of 2^63 and a size close to PTRDIFF_MAX. This combination triggers the integer overflow, causing the memory allocator to return a tiny chunk, which is then used to overwrite heap metadata at incorrect offsets, leading to corruption.