klibc-bot for Ben Hutchings
2021-Apr-30 00:00 UTC
[klibc] [klibc:master] calloc: Fail if multiplication overflows
Commit-ID: 292650f04c2b5348b4efbad61fb014ed09b4f3f2
Gitweb:
http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=292650f04c2b5348b4efbad61fb014ed09b4f3f2
Author: Ben Hutchings <ben at decadent.org.uk>
AuthorDate: Wed, 28 Apr 2021 04:29:50 +0200
Committer: Ben Hutchings <ben at decadent.org.uk>
CommitDate: Thu, 29 Apr 2021 16:02:20 +0200
[klibc] calloc: Fail if multiplication overflows
calloc() multiplies its 2 arguments together and passes the result to
malloc(). Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.
CVE-2021-31870
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
usr/klibc/calloc.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
index 53dcc6b2..4a81cda1 100644
--- a/usr/klibc/calloc.c
+++ b/usr/klibc/calloc.c
@@ -2,12 +2,17 @@
* calloc.c
*/
+#include <errno.h>
#include <stdlib.h>
#include <string.h>
-/* FIXME: This should look for multiplication overflow */
-
void *calloc(size_t nmemb, size_t size)
{
- return zalloc(nmemb * size);
+ unsigned long prod;
+
+ if (__builtin_umull_overflow(nmemb, size, &prod)) {
+ errno = ENOMEM;
+ return NULL;
+ }
+ return zalloc(prod);
}