Hi Richard, On Fri, 2 Aug 2024 at 04:08, Richard Weinberger <[email protected]> wrote: > > Since U-Boot does not support memory overcommit we can > enforce that the allocation size is within the malloc area. > This is a simple and efficient hardening measure to mitigate > further integer overflows in dlmalloc. > > Signed-off-by: Richard Weinberger <[email protected]> > --- > common/dlmalloc.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/common/dlmalloc.c b/common/dlmalloc.c > index c8d1da1cb1..d264fc031a 100644 > --- a/common/dlmalloc.c > +++ b/common/dlmalloc.c > @@ -1274,7 +1274,8 @@ Void_t* mALLOc_impl(bytes) size_t bytes; > return NULL; > } > > - if ((long)bytes < 0) return NULL; > + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) > + return NULL; > > nb = request2size(bytes); /* padded request size; */ > > @@ -1687,7 +1688,8 @@ Void_t* rEALLOc_impl(oldmem, bytes) Void_t* oldmem; > size_t bytes; > } > #endif > > - if ((long)bytes < 0) return NULL; > + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) > + return NULL; > > /* realloc of null is supposed to be same as malloc */ > if (oldmem == NULL) return mALLOc_impl(bytes); > @@ -1907,7 +1909,8 @@ Void_t* mEMALIGn_impl(alignment, bytes) size_t > alignment; size_t bytes; > mchunkptr remainder; /* spare room at end to split off */ > long remainder_size; /* its size */ > > - if ((long)bytes < 0) return NULL; > + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) > + return NULL; > > #if CONFIG_IS_ENABLED(SYS_MALLOC_F) > if (!(gd->flags & GD_FLG_FULL_MALLOC_INIT)) { > -- > 2.35.3 >
Reviewed-by: Simon Glass <[email protected]> I wonder if we can get away without the memalign() one since it is calling malloc() always? There is still the request2size() though. Regards, Simon
