aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2021-04-28 04:03:49 +0200
committerBen Hutchings <ben@decadent.org.uk>2021-04-29 16:01:54 +0200
commita31ae8c508fc8d1bca4f57e9f9f88127572d5202 (patch)
treed46f55953d29fbd0c691396432e5a98891bc48ac
parent7f6626d12daa2f1efd9953d1f4ba2065348dc5cd (diff)
downloadklibc-a31ae8c508fc8d1bca4f57e9f9f88127572d5202.tar.gz
[klibc] malloc: Fail if requested size > PTRDIFF_MAX
malloc() adds some overhead to the requested size, which may result in an integer overflow and subsequent buffer overflow if it is close to SIZE_MAX. It should fail if size is large enough for this to happen. Further, it's not legal for a C object to be larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could overflow. So return failure immediately if size is greater than that. CVE-2021-31873 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r--usr/klibc/malloc.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/usr/klibc/malloc.c b/usr/klibc/malloc.c
index bb57c9f6ffd34..abda84c27105e 100644
--- a/usr/klibc/malloc.c
+++ b/usr/klibc/malloc.c
@@ -147,6 +147,15 @@ void *malloc(size_t size)
if (size == 0)
return NULL;
+ /* Various additions below will overflow if size is close to
+ SIZE_MAX. Further, it's not legal for a C object to be
+ larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer
+ arithmetic within it could overflow. */
+ if (size > PTRDIFF_MAX) {
+ errno = ENOMEM;
+ return NULL;
+ }
+
/* Add the obligatory arena header, and round up */
size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK;