From nobody Sat Apr 27 10:38:50 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+79538+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+79538+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=intel.com
ARC-Seal: i=1; a=rsa-sha256; t=1629324218; cv=none;
	d=zohomail.com; s=zohoarc;
	b=X9jQxt86GrblUgBelrTBGqI/cvMhLE1kBGxfPr09CIdaMuYsSnBEbPwNJy0P3k5HvQ/uU7qjCFtr6v/IOLB5/Sxi14AHOcctKp70JXoN0EZXiQCZ7fejXLzNegV3ffY//P2LFW4XJBNJYDnY7hyVxXvdmhSVtrb6SqI6KiYV3kM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1629324218;
 h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=zGUiFtd4/aVihQH1jtCg3WxFb53OT8oN8KTqqXjDXC4=;
	b=BNzxdWIUHYiMaMfvd3GtIafmnmACuc8hvj3UX4WFjMyCwtGe1txZ+WjELD8lLJBWAYrK4U5OTdmwDkv5/7rcxoWS1ehegQ+LlmV4+H3vnnXjRJHrTyufNaU6pXPx8PwIHOL8UaGlozuOwxkdhzvyLKMkro9+n5LYCDrYlprIWUw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+79538+1787277+3901457@groups.io;
	dmarc=fail header.from=<michael.d.kinney@intel.com> (p=none dis=none)
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1629324218364359.3727095500085;
 Wed, 18 Aug 2021 15:03:38 -0700 (PDT)
Return-Path: <bounce+27952+79538+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id lgFhYY1788612xKNjHHufmmq;
 Wed, 18 Aug 2021 15:03:38 -0700
X-Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by mx.groups.io with SMTP id smtpd.web12.62061.1629324216846659089
 for <devel@edk2.groups.io>;
 Wed, 18 Aug 2021 15:03:37 -0700
X-IronPort-AV: E=McAfee;i="6200,9189,10080"; a="213316815"
X-IronPort-AV: E=Sophos;i="5.84,332,1620716400";
   d="scan'208";a="213316815"
X-Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 18 Aug 2021 15:03:35 -0700
X-IronPort-AV: E=Sophos;i="5.84,332,1620716400";
   d="scan'208";a="681411396"
X-Received: from mdkinney-mobl2.amr.corp.intel.com ([10.212.191.175])
  by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 18 Aug 2021 15:03:35 -0700
From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: devel@edk2.groups.io
Cc: Rebecca Cran <rebecca@nuviainc.com>,
	Yitzhak Briskman <yitzhak.briskman@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Yonghong Zhu <yonghong.zhu@intel.com>
Subject: [edk2-devel] [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible
 math overflow in malloc()
Date: Wed, 18 Aug 2021 15:03:26 -0700
Message-Id: <20210818220326.339-1-michael.d.kinney@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,michael.d.kinney@intel.com
X-Gm-Message-State: aljNsxlELHLyfSOBdIQWO3WSx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1629324218;
 bh=5qzydisEoCFOuMfutt4hP/OxqI9UX4Er8fNJITWuSko=;
 h=Cc:Date:From:Reply-To:Subject:To;
 b=C561K/jc8DFg6hpsVVISscyF5ODJ0atgTimH5U1cNkWfDL7ae2AJAJm0PPEQYJ+0Y+Q
 sloDbuUl0+Pm4MUAID2G+RFXbSLvkoVy37bP1gLO0g7dFPyQSIINAUv4xixHsojJRbAHd
 2lyF32IZqmX017b/u5yADa9Cuw3NNb20NrU=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1629324221445100002
Content-Type: text/plain; charset="utf-8"

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1510

Check for addition overflow in malloc() when computing NodeSize
and return error if overflow is detected.

Cc: Rebecca Cran <rebecca@nuviainc.com>
Cc: Yitzhak Briskman <yitzhak.briskman@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Rebecca Cran <rebecca@nuviainc.com>
---
 StdLib/LibC/StdLib/Malloc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c
index c131b9e..7bf8827 100644
--- a/StdLib/LibC/StdLib/Malloc.c
+++ b/StdLib/LibC/StdLib/Malloc.c
@@ -94,6 +94,12 @@ malloc(size_t Size)
     return NULL;
   }
=20
+  if ((Size + sizeof(CPOOL_HEAD)) < Size) {
+    RetVal  =3D NULL;
+    errno   =3D ENOMEM;
+    DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n"));
+  }
+
   NodeSize =3D (UINTN)(Size + sizeof(CPOOL_HEAD));
=20
   DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));
--=20
2.32.0.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79538): https://edk2.groups.io/g/devel/message/79538
Mute This Topic: https://groups.io/mt/84983903/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-