[klibc] calloc: Fail if multiplication overflows

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31870

calloc() multiplies its 2 arguments together and passes the result to
malloc().  Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.

CVE-2021-31870

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Name 0037-klibc-calloc-Fail-if-multiplication-overflows.patch

diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
index 53dcc6b2f6bf63acd661c485141beb4fd635dd83..4a81cda15e1ce2dc4643b215995f6bdc999611c2 100644 (file)
--- a/usr/klibc/calloc.c
+++ b/usr/klibc/calloc.c
@@ -2,12 +2,17 @@
  * calloc.c
  */
 
+#include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-/* FIXME: This should look for multiplication overflow */
-
 void *calloc(size_t nmemb, size_t size)
 {
-       return zalloc(nmemb * size);
+       unsigned long prod;
+
+       if (__builtin_umull_overflow(nmemb, size, &prod)) {
+               errno = ENOMEM;
+               return NULL;
+       }
+       return zalloc(prod);
 }