From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 28 Apr 2021 02:29:50 +0000 (+0200)
Subject: [klibc] calloc: Fail if multiplication overflows
X-Git-Tag: archive/raspbian/2.0.6-1+rpi1+deb10u1^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=63acbd57897f8825a996d348b3e348b0f1629ee9;p=klibc.git

[klibc] calloc: Fail if multiplication overflows

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31870

calloc() multiplies its 2 arguments together and passes the result to
malloc().  Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.

CVE-2021-31870

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Gbp-Pq: Name 0037-klibc-calloc-Fail-if-multiplication-overflows.patch
---

diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
index 53dcc6b..4a81cda 100644
--- a/usr/klibc/calloc.c
+++ b/usr/klibc/calloc.c
@@ -2,12 +2,17 @@
  * calloc.c
  */
 
+#include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-/* FIXME: This should look for multiplication overflow */
-
 void *calloc(size_t nmemb, size_t size)
 {
-	return zalloc(nmemb * size);
+	unsigned long prod;
+
+	if (__builtin_umull_overflow(nmemb, size, &prod)) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	return zalloc(prod);
 }