From: Richard Weinberger <richard@nod.at>
Date: Fri, 2 Aug 2024 10:08:45 +0000 (+0200)
Subject: dlmalloc: Fix integer overflow in sbrk()
X-Git-Tag: archive/raspbian/2021.01+dfsg-5+rpi1+deb11u1^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f5ebb456128bfef3d142e34b562d5eeb7ffaa1f1;p=u-boot.git

dlmalloc: Fix integer overflow in sbrk()

Make sure that the new break is within mem_malloc_start
and mem_malloc_end before making progress.
ulong new = old + increment; can overflow for extremely large
increment values and memset() can get wrongly called.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Simon Glass <sjg@chromium.org>

Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3
Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
Bug-Debian: https://bugs.debian.org/1098254
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258

Gbp-Pq: Name CVE-2024-57258-1.patch
---

diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index b29a7cfd9..16fe49d0e 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -589,6 +589,9 @@ void *sbrk(ptrdiff_t increment)
 	ulong old = mem_malloc_brk;
 	ulong new = old + increment;
 
+	if ((new < mem_malloc_start) || (new > mem_malloc_end))
+		return (void *)MORECORE_FAILURE;
+
 	/*
 	 * if we are giving memory back make sure we clear it out since
 	 * we set MORECORE_CLEARS to 1
@@ -596,9 +599,6 @@ void *sbrk(ptrdiff_t increment)
 	if (increment < 0)
 		memset((void *)new, 0, -increment);
 
-	if ((new < mem_malloc_start) || (new > mem_malloc_end))
-		return (void *)MORECORE_FAILURE;
-
 	mem_malloc_brk = new;
 
 	return (void *)old;