core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would be a small memory block, while num_pages would be large, which could
lead to a generous memcpy() when copying the pages in internal memory, the
outcome of this depends on memory mapping.

Note: no attack path are identified to exploit this overflow, however it
is error prone and could lead to a future vulnerability.

This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static
function that performs the same computation, but returns 0 in case of
integer overflow. The call site is updated to return an error status
should this situation happen.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

core/arch/arm/mm/mobj.c

@@ -317,8 +317,16 @@ struct mobj_reg_shm {
 	paddr_t pages[];
 };
 
-#define MOBJ_REG_SHM_SIZE(nr_pages) \
-	(sizeof(struct mobj_reg_shm) + sizeof(paddr_t) * (nr_pages))
+static size_t mobj_reg_shm_size(size_t nr_pages)
+{
+	size_t s = 0;
+
+	if (MUL_OVERFLOW(sizeof(paddr_t), nr_pages, &s))
+		return 0;
+	if (ADD_OVERFLOW(sizeof(struct mobj_reg_shm), s, &s))
+		return 0;
+	return s;
+}
 
 static SLIST_HEAD(reg_shm_head, mobj_reg_shm) reg_shm_list =
 	SLIST_HEAD_INITIALIZER(reg_shm_head);
@@ -460,11 +468,15 @@ struct mobj *mobj_reg_shm_alloc(paddr_t *pages, size_t num_pages,
 	struct mobj_reg_shm *mobj_reg_shm;
 	size_t i;
 	uint32_t exceptions;
+	size_t s;
 
 	if (!num_pages)
 		return NULL;
 
-	mobj_reg_shm = calloc(1, MOBJ_REG_SHM_SIZE(num_pages));
+	s = mobj_reg_shm_size(num_pages);
+	if (!s)
+		return NULL;
+	mobj_reg_shm = calloc(1, s);
 	if (!mobj_reg_shm)
 		return NULL;