From: Richard Weinberger Date: Fri, 2 Aug 2024 10:08:46 +0000 (+0200) Subject: dlmalloc: Make sure allocation size is within malloc area X-Git-Tag: v2025.01-rc5-pxa1908~170^2~120 X-Git-Url: http://git.dujemihanovic.xyz/%22/icons/right.gif/static/git-logo.png?a=commitdiff_plain;h=9b9368b5c4dc24b3b999743db26fb915981d26a9;p=u-boot.git dlmalloc: Make sure allocation size is within malloc area Since U-Boot does not support memory overcommit we can enforce that the allocation size is within the malloc area. This is a simple and efficient hardening measure to mitigate further integer overflows in dlmalloc. Signed-off-by: Richard Weinberger Reviewed-by: Simon Glass --- diff --git a/common/dlmalloc.c b/common/dlmalloc.c index 8e201ac0dc..1ac7ce3f43 100644 --- a/common/dlmalloc.c +++ b/common/dlmalloc.c @@ -1274,7 +1274,8 @@ Void_t* mALLOc_impl(bytes) size_t bytes; return NULL; } - if ((long)bytes < 0) return NULL; + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) + return NULL; nb = request2size(bytes); /* padded request size; */ @@ -1687,7 +1688,8 @@ Void_t* rEALLOc_impl(oldmem, bytes) Void_t* oldmem; size_t bytes; } #endif - if ((long)bytes < 0) return NULL; + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) + return NULL; /* realloc of null is supposed to be same as malloc */ if (oldmem == NULL) return mALLOc_impl(bytes); @@ -1911,7 +1913,8 @@ Void_t* mEMALIGn_impl(alignment, bytes) size_t alignment; size_t bytes; mchunkptr remainder; /* spare room at end to split off */ long remainder_size; /* its size */ - if ((long)bytes < 0) return NULL; + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) + return NULL; #if CONFIG_IS_ENABLED(SYS_MALLOC_F) if (!(gd->flags & GD_FLG_FULL_MALLOC_INIT)) {