Since U-Boot does not support memory overcommit we can enforce that the allocation size is within the malloc area. This is a simple and efficient hardening measure to mitigate further integer overflows in dlmalloc.
Signed-off-by: Richard Weinberger richard@nod.at --- common/dlmalloc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/common/dlmalloc.c b/common/dlmalloc.c index c8d1da1cb1..d264fc031a 100644 --- a/common/dlmalloc.c +++ b/common/dlmalloc.c @@ -1274,7 +1274,8 @@ Void_t* mALLOc_impl(bytes) size_t bytes; return NULL; }
- if ((long)bytes < 0) return NULL; + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) + return NULL;
nb = request2size(bytes); /* padded request size; */
@@ -1687,7 +1688,8 @@ Void_t* rEALLOc_impl(oldmem, bytes) Void_t* oldmem; size_t bytes; } #endif
- if ((long)bytes < 0) return NULL; + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) + return NULL;
/* realloc of null is supposed to be same as malloc */ if (oldmem == NULL) return mALLOc_impl(bytes); @@ -1907,7 +1909,8 @@ Void_t* mEMALIGn_impl(alignment, bytes) size_t alignment; size_t bytes; mchunkptr remainder; /* spare room at end to split off */ long remainder_size; /* its size */
- if ((long)bytes < 0) return NULL; + if (bytes > CONFIG_SYS_MALLOC_LEN || (long)bytes < 0) + return NULL;
#if CONFIG_IS_ENABLED(SYS_MALLOC_F) if (!(gd->flags & GD_FLG_FULL_MALLOC_INIT)) {