[klibc] [klibc:master] malloc: Fail if requested size > PTRDIFF_MAX
klibc-bot for Ben Hutchings
ben at decadent.org.uk
Thu Apr 29 17:00:19 PDT 2021
Commit-ID: a31ae8c508fc8d1bca4f57e9f9f88127572d5202
Gitweb: http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=a31ae8c508fc8d1bca4f57e9f9f88127572d5202
Author: Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Wed, 28 Apr 2021 04:03:49 +0200
Committer: Ben Hutchings <ben at decadent.org.uk>
CommitDate: Thu, 29 Apr 2021 16:01:54 +0200
[klibc] malloc: Fail if requested size > PTRDIFF_MAX
malloc() adds some overhead to the requested size, which may result in
an integer overflow and subsequent buffer overflow if it is close to
SIZE_MAX. It should fail if size is large enough for this to happen.
Further, it's not legal for a C object to be larger than
PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
overflow. So return failure immediately if size is greater than that.
CVE-2021-31873
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
usr/klibc/malloc.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/usr/klibc/malloc.c b/usr/klibc/malloc.c
index bb57c9f6..abda84c2 100644
--- a/usr/klibc/malloc.c
+++ b/usr/klibc/malloc.c
@@ -147,6 +147,15 @@ void *malloc(size_t size)
if (size == 0)
return NULL;
+ /* Various additions below will overflow if size is close to
+ SIZE_MAX. Further, it's not legal for a C object to be
+ larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer
+ arithmetic within it could overflow. */
+ if (size > PTRDIFF_MAX) {
+ errno = ENOMEM;
+ return NULL;
+ }
+
/* Add the obligatory arena header, and round up */
size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK;
More information about the klibc
mailing list