Explicitly limit the OPENSSL_aligned_alloc()'s alignment to 65536

There is little need to support alignments larger than a page size,
and the open-coded OPENSSL_aligned_alloc() implementation implements
that support in quite wasteful manner, so it is better just to limit
the maximum supported alignment explicitly.  The value of 65536
has been chosen so it is architecture-agnostic and is no less than page sizes
used in commonly occurring architectures (and also it is a pretty number).

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28295)

crypto/aligned_alloc.c

@@ -21,8 +21,9 @@ void *ossl_malloc_align(size_t num, size_t alignment, void **freeptr,
 
     *freeptr = NULL;
 
-    /* Ensure that alignment is a power of two */
-    if (alignment == 0 || (alignment & (alignment - 1)) != 0) {
+    /* Ensure that alignment is a power of two no larger than 65536 */
+    if (alignment == 0 || (alignment & (alignment - 1)) != 0
+        || alignment > 65536) {
         ossl_report_alloc_err_inv(file, line);
         return NULL;
     }

crypto/mem.c

@@ -233,8 +233,9 @@ void *CRYPTO_aligned_alloc(size_t num, size_t alignment, void **freeptr,
 {
     *freeptr = NULL;
 
-    /* Ensure that alignment is a power of two */
-    if (alignment == 0 || (alignment & (alignment - 1)) != 0) {
+    /* Ensure that alignment is a power of two no larger than 65536 */
+    if (alignment == 0 || (alignment & (alignment - 1)) != 0
+        || alignment > 65536) {
         ossl_report_alloc_err_inv(file, line);
         return NULL;
     }

doc/man3/OPENSSL_malloc.pod

@@ -125,7 +125,7 @@ OPENSSL_zalloc() calls memset() to zero the memory before returning.
 OPENSSL_aligned_alloc() operates just as OPENSSL_malloc() does, but it
 allows for the caller to specify an alignment value, for instances in
 which the default alignment of malloc is insufficient for the caller's
-needs.  Note, the alignment value must be a power of 2.
+needs.  Note, the alignment value must be a power of 2 no larger than 65536.
 NOTE: the call to OPENSSL_aligned_alloc() accepts a 3rd argument, I<freeptr>
 which must point to a void pointer.  On some platforms, there is no available
 library call to obtain memory allocations with alignment greater than what
@@ -311,6 +311,9 @@ was built with C<OPENSSL_SMALL_FOOTPRINT> macro defined.  Consequently,
 the caller may need to fall back to a non-aligned memory allocation
 (and open-code the alignment routine if the alignment is a requirement).
 
+Before OpenSSL 4.0, the call to OPENSSL_aligned_alloc() did not have
+an explicit upper limit on the value of I<alignment>.
+
 =head1 COPYRIGHT
 
 Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.

test/mem_alloc_test.c

@@ -173,6 +173,8 @@ static const struct array_aligned_alloc_vector {
 
     { 8, 8, 63, EXP_INVAL, EXP_INVAL },
     { 8, 8, 64, EXP_NONNULL, EXP_NONNULL },
+    { 3, 4, 65536, EXP_NONNULL, EXP_NONNULL },
+    { 8, 8, 131072, EXP_INVAL, EXP_INVAL },
     { SIZE_MAX / 8 + 9, 8, 64, EXP_NONNULL, EXP_INT_OF },
 
     /*