dlmalloc: Fix integer overflow in request2size()

req is of type size_t, casting it to long opens the door
for an integer overflow.
Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
cause and overflow such that request2size() returns MINSIZE.

Fix by removing the cast.
The origin of the cast is unclear, it's in u-boot and ppcboot since ever
and predates the CVS history.
Doug Lea's original dlmalloc implementation also doesn't have it.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258

Gbp-Pq: Name CVE-2024-57258-2.patch

diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index 16fe49d0e16c17abf072be4b45e33ef244f2d8ee..156481cb4261550f39c0b4d69e3eadf0f09b2012 100644 (file)
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -367,8 +367,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 /* pad request bytes into a usable size */
 
 #define request2size(req) \
- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
-  (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+  (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
    (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
 
 /* Check if m has acceptable alignment */