Skip to content
Permalink
Browse files

core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would be a small memory block, while num_pages would be large, which could
lead to a generous memcpy() when copying the pages in internal memory, the
outcome of this depends on memory mapping.

Note: no attack path are identified to exploit this overflow, however it
is error prone and could lead to a future vulnerability.

This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static
function that performs the same computation, but returns 0 in case of
integer overflow. The call site is updated to return an error status
should this situation happen.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
  • Loading branch information...
jforissier committed Feb 4, 2019
1 parent 99164a0 commit 8ad7af50273124c3cf043a798df633ae2c388913
Showing with 15 additions and 3 deletions.
  1. +15 −3 core/arch/arm/mm/mobj.c
@@ -317,8 +317,16 @@ struct mobj_reg_shm {
paddr_t pages[];
};

#define MOBJ_REG_SHM_SIZE(nr_pages) \
(sizeof(struct mobj_reg_shm) + sizeof(paddr_t) * (nr_pages))
static size_t mobj_reg_shm_size(size_t nr_pages)
{
size_t s = 0;

if (MUL_OVERFLOW(sizeof(paddr_t), nr_pages, &s))
return 0;
if (ADD_OVERFLOW(sizeof(struct mobj_reg_shm), s, &s))
return 0;
return s;
}

static SLIST_HEAD(reg_shm_head, mobj_reg_shm) reg_shm_list =
SLIST_HEAD_INITIALIZER(reg_shm_head);
@@ -460,11 +468,15 @@ struct mobj *mobj_reg_shm_alloc(paddr_t *pages, size_t num_pages,
struct mobj_reg_shm *mobj_reg_shm;
size_t i;
uint32_t exceptions;
size_t s;

if (!num_pages)
return NULL;

mobj_reg_shm = calloc(1, MOBJ_REG_SHM_SIZE(num_pages));
s = mobj_reg_shm_size(num_pages);
if (!s)
return NULL;
mobj_reg_shm = calloc(1, s);
if (!mobj_reg_shm)
return NULL;

0 comments on commit 8ad7af5

Please sign in to comment.
You can’t perform that action at this time.