dlmalloc: Fix integer overflow in sbrk()

Make sure that the new break is within mem_malloc_start
and mem_malloc_end before making progress.
ulong new = old + increment; can overflow for extremely large
increment values and memset() can get wrongly called.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258

Gbp-Pq: Name CVE-2024-57258-1.patch

diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index b29a7cfd93d3e0324ad8b4c82be2d35314debb74..16fe49d0e16c17abf072be4b45e33ef244f2d8ee 100644 (file)
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -589,6 +589,9 @@ void *sbrk(ptrdiff_t increment)
        ulong old = mem_malloc_brk;
        ulong new = old + increment;
 
+       if ((new < mem_malloc_start) || (new > mem_malloc_end))
+               return (void *)MORECORE_FAILURE;
+
        /*
         * if we are giving memory back make sure we clear it out since
         * we set MORECORE_CLEARS to 1
@@ -596,9 +599,6 @@ void *sbrk(ptrdiff_t increment)
        if (increment < 0)
                memset((void *)new, 0, -increment);
 
-       if ((new < mem_malloc_start) || (new > mem_malloc_end))
-               return (void *)MORECORE_FAILURE;
-
        mem_malloc_brk = new;
 
        return (void *)old;