[klibc] [klibc:master] calloc: Fail if multiplication overflows

[klibc-bot for Ben Hutchings]

Commit-ID:  292650f04c2b5348b4efbad61fb014ed09b4f3f2
Gitweb:     http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=292650f04c2b5348b4efbad61fb014ed09b4f3f2
Author:     Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Wed, 28 Apr 2021 04:29:50 +0200
Committer:  Ben Hutchings <ben at decadent.org.uk>
CommitDate: Thu, 29 Apr 2021 16:02:20 +0200

[klibc] calloc: Fail if multiplication overflows

calloc() multiplies its 2 arguments together and passes the result to
malloc().  Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.

CVE-2021-31870

Signed-off-by: Ben Hutchings <ben at decadent.org.uk>

---
 usr/klibc/calloc.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
index 53dcc6b2..4a81cda1 100644
--- a/usr/klibc/calloc.c
+++ b/usr/klibc/calloc.c
@@ -2,12 +2,17 @@
  * calloc.c
  */
 
+#include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-/* FIXME: This should look for multiplication overflow */
-
 void *calloc(size_t nmemb, size_t size)
 {
-	return zalloc(nmemb * size);
+	unsigned long prod;
+
+	if (__builtin_umull_overflow(nmemb, size, &prod)) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	return zalloc(prod);
 }