diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2021-04-28 04:03:49 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2021-04-29 16:01:54 +0200 |
| commit | a31ae8c508fc8d1bca4f57e9f9f88127572d5202 (patch) | |
| tree | d46f55953d29fbd0c691396432e5a98891bc48ac | |
| parent | 7f6626d12daa2f1efd9953d1f4ba2065348dc5cd (diff) | |
| download | klibc-a31ae8c508fc8d1bca4f57e9f9f88127572d5202.tar.gz | |
[klibc] malloc: Fail if requested size > PTRDIFF_MAX
malloc() adds some overhead to the requested size, which may result in
an integer overflow and subsequent buffer overflow if it is close to
SIZE_MAX. It should fail if size is large enough for this to happen.
Further, it's not legal for a C object to be larger than
PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
overflow. So return failure immediately if size is greater than that.
CVE-2021-31873
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | usr/klibc/malloc.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/usr/klibc/malloc.c b/usr/klibc/malloc.c index bb57c9f6ffd34..abda84c27105e 100644 --- a/usr/klibc/malloc.c +++ b/usr/klibc/malloc.c @@ -147,6 +147,15 @@ void *malloc(size_t size) if (size == 0) return NULL; + /* Various additions below will overflow if size is close to + SIZE_MAX. Further, it's not legal for a C object to be + larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer + arithmetic within it could overflow. */ + if (size > PTRDIFF_MAX) { + errno = ENOMEM; + return NULL; + } + /* Add the obligatory arena header, and round up */ size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK; |
