From ea9be4751a1ea8fe60ea0fde5fe33eae5395026d Mon Sep 17 00:00:00 2001 From: Richard Weinberger Date: Fri, 2 Aug 2024 12:08:44 +0200 Subject: [PATCH] dlmalloc: Fix integer overflow in request2size() req is of type size_t, casting it to long opens the door for an integer overflow. Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX cause and overflow such that request2size() returns MINSIZE. Fix by removing the cast. The origin of the cast is unclear, it's in u-boot and ppcboot since ever and predates the CVS history. Doug Lea's original dlmalloc implementation also doesn't have it. Signed-off-by: Richard Weinberger Reviewed-by: Simon Glass Reviewed-By: Daniel Leidert Origin: https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2 Bug-Debian: https://bugs.debian.org/1098254 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258 Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258 Gbp-Pq: Name CVE-2024-57258-2.patch --- common/dlmalloc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/dlmalloc.c b/common/dlmalloc.c index 16fe49d0e..156481cb4 100644 --- a/common/dlmalloc.c +++ b/common/dlmalloc.c @@ -367,8 +367,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /* pad request bytes into a usable size */ #define request2size(req) \ - (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ - (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ + ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \ + (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \ (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK))) /* Check if m has acceptable alignment */ -- 2.30.2