From 63acbd57897f8825a996d348b3e348b0f1629ee9 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Wed, 28 Apr 2021 04:29:50 +0200
Subject: [PATCH] [klibc] calloc: Fail if multiplication overflows

Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31870

calloc() multiplies its 2 arguments together and passes the result to
malloc().  Since the factors and product both have type size_t, this
can result in an integer overflow and subsequent buffer overflow.
Check for this and fail if it happens.

CVE-2021-31870

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Gbp-Pq: Name 0037-klibc-calloc-Fail-if-multiplication-overflows.patch
---
 usr/klibc/calloc.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
index 53dcc6b..4a81cda 100644
--- a/usr/klibc/calloc.c
+++ b/usr/klibc/calloc.c
@@ -2,12 +2,17 @@
  * calloc.c
  */
 
+#include <errno.h>
 #include <stdlib.h>
 #include <string.h>
 
-/* FIXME: This should look for multiplication overflow */
-
 void *calloc(size_t nmemb, size_t size)
 {
-	return zalloc(nmemb * size);
+	unsigned long prod;
+
+	if (__builtin_umull_overflow(nmemb, size, &prod)) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	return zalloc(prod);
 }
-- 
2.30.2