[PATCH 4/4] dlmalloc: Make sure allocation size is within malloc area
Simon Glass
sjg at chromium.org
Tue Aug 6 23:50:45 CEST 2024
Hi Richard,
On Fri, 2 Aug 2024 at 04:08, Richard Weinberger <richard at nod.at> wrote:
>
> Since U-Boot does not support memory overcommit we can
> enforce that the allocation size is within the malloc area.
> This is a simple and efficient hardening measure to mitigate
> further integer overflows in dlmalloc.
>
> Signed-off-by: Richard Weinberger <richard at nod.at>
> ---
> common/dlmalloc.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/common/dlmalloc.c b/common/dlmalloc.c
> index c8d1da1cb1..d264fc031a 100644
> --- a/common/dlmalloc.c
> +++ b/common/dlmalloc.c
> @@ -1274,7 +1274,8 @@ Void_t* mALLOc_impl(bytes) size_t bytes;
> return NULL;
> }
>
> - if ((long)bytes < 0) return NULL;
> + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0)
> + return NULL;
>
> nb = request2size(bytes); /* padded request size; */
>
> @@ -1687,7 +1688,8 @@ Void_t* rEALLOc_impl(oldmem, bytes) Void_t* oldmem; size_t bytes;
> }
> #endif
>
> - if ((long)bytes < 0) return NULL;
> + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0)
> + return NULL;
>
> /* realloc of null is supposed to be same as malloc */
> if (oldmem == NULL) return mALLOc_impl(bytes);
> @@ -1907,7 +1909,8 @@ Void_t* mEMALIGn_impl(alignment, bytes) size_t alignment; size_t bytes;
> mchunkptr remainder; /* spare room at end to split off */
> long remainder_size; /* its size */
>
> - if ((long)bytes < 0) return NULL;
> + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0)
> + return NULL;
>
> #if CONFIG_IS_ENABLED(SYS_MALLOC_F)
> if (!(gd->flags & GD_FLG_FULL_MALLOC_INIT)) {
> --
> 2.35.3
>
Reviewed-by: Simon Glass <sjg at chromium.org>
I wonder if we can get away without the memalign() one since it is
calling malloc() always? There is still the request2size() though.
Regards,
Simon
More information about the U-Boot
mailing list