Skip to content
Browse files

core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would be a small memory block, while num_pages would be large, which could
lead to a generous memcpy() when copying the pages in internal memory, the
outcome of this depends on memory mapping.

Note: no attack path are identified to exploit this overflow, however it
is error prone and could lead to a future vulnerability.

This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static
function that performs the same computation, but returns 0 in case of
integer overflow. The call site is updated to return an error status
should this situation happen.

Signed-off-by: Jerome Forissier <>
Reported-by: Bastien Simondi <> [2.3]
Reviewed-by: Jens Wiklander <>
Reviewed-by: Joakim Bech <>
  • Loading branch information...
jforissier committed Feb 4, 2019
1 parent 99164a0 commit 8ad7af50273124c3cf043a798df633ae2c388913
Showing with 15 additions and 3 deletions.
  1. +15 −3 core/arch/arm/mm/mobj.c
@@ -317,8 +317,16 @@ struct mobj_reg_shm {
paddr_t pages[];

#define MOBJ_REG_SHM_SIZE(nr_pages) \
(sizeof(struct mobj_reg_shm) + sizeof(paddr_t) * (nr_pages))
static size_t mobj_reg_shm_size(size_t nr_pages)
size_t s = 0;

if (MUL_OVERFLOW(sizeof(paddr_t), nr_pages, &s))
return 0;
if (ADD_OVERFLOW(sizeof(struct mobj_reg_shm), s, &s))
return 0;
return s;

static SLIST_HEAD(reg_shm_head, mobj_reg_shm) reg_shm_list =
@@ -460,11 +468,15 @@ struct mobj *mobj_reg_shm_alloc(paddr_t *pages, size_t num_pages,
struct mobj_reg_shm *mobj_reg_shm;
size_t i;
uint32_t exceptions;
size_t s;

if (!num_pages)
return NULL;

mobj_reg_shm = calloc(1, MOBJ_REG_SHM_SIZE(num_pages));
s = mobj_reg_shm_size(num_pages);
if (!s)
return NULL;
mobj_reg_shm = calloc(1, s);
if (!mobj_reg_shm)
return NULL;

0 comments on commit 8ad7af5

Please sign in to comment.
You can’t perform that action at this time.