diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2021-04-28 04:29:50 +0200 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2021-04-29 16:02:20 +0200 |
commit | 292650f04c2b5348b4efbad61fb014ed09b4f3f2 (patch) | |
tree | d7fa3f8844d87766943104120b39da471d4d9be0 | |
parent | a31ae8c508fc8d1bca4f57e9f9f88127572d5202 (diff) | |
download | klibc-292650f04c2b5348b4efbad61fb014ed09b4f3f2.tar.gz |
[klibc] calloc: Fail if multiplication overflows
calloc() multiplies its 2 arguments together and passes the result to
malloc(). Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.
CVE-2021-31870
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | usr/klibc/calloc.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c index 53dcc6b2f6bf63..4a81cda15e1ce2 100644 --- a/usr/klibc/calloc.c +++ b/usr/klibc/calloc.c @@ -2,12 +2,17 @@ * calloc.c */ +#include <errno.h> #include <stdlib.h> #include <string.h> -/* FIXME: This should look for multiplication overflow */ - void *calloc(size_t nmemb, size_t size) { - return zalloc(nmemb * size); + unsigned long prod; + + if (__builtin_umull_overflow(nmemb, size, &prod)) { + errno = ENOMEM; + return NULL; + } + return zalloc(prod); } |