[klibc] malloc: Fail if requested size > PTRDIFF_MAX

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31873

malloc() adds some overhead to the requested size, which may result in
an integer overflow and subsequent buffer overflow if it is close to
SIZE_MAX.  It should fail if size is large enough for this to happen.

Further, it's not legal for a C object to be larger than
PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
overflow.  So return failure immediately if size is greater than that.

CVE-2021-31873

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch

diff --git a/usr/klibc/malloc.c b/usr/klibc/malloc.c
index bb57c9f6ffd34ab8f8408887cde939f5bac5e3c2..abda84c27105ed0e28bec8c98c47f15705144148 100644 (file)
--- a/usr/klibc/malloc.c
+++ b/usr/klibc/malloc.c
@@ -147,6 +147,15 @@ void *malloc(size_t size)
        if (size == 0)
                return NULL;
 
+       /* Various additions below will overflow if size is close to
+          SIZE_MAX.  Further, it's not legal for a C object to be
+          larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer
+          arithmetic within it could overflow. */
+       if (size > PTRDIFF_MAX) {
+               errno = ENOMEM;
+               return NULL;
+       }
+
        /* Add the obligatory arena header, and round up */
        size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK;