Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
xen.14764
5e3bd3f8-xmalloc-guard-against-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 5e3bd3f8-xmalloc-guard-against-overflow.patch of Package xen.14764
# Commit cf38b4926e2b55d1d7715cff5095a7444f5ed42d # Date 2020-02-06 09:53:12 +0100 # Author Jan Beulich <jbeulich@suse.com> # Committer Jan Beulich <jbeulich@suse.com> xmalloc: guard against integer overflow There are hypercall handling paths (EFI ones are what this was found with) needing to allocate buffers of a caller specified size. This is generally fine, as our page allocator enforces an upper bound on all allocations. However, certain extremely large sizes could, when adding in allocator overhead, result in an apparently tiny allocation size, which would typically result in either a successful allocation, but a severe buffer overrun when using that memory block, or in a crash right in the allocator code. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> --- a/xen/common/xmalloc_tlsf.c +++ b/xen/common/xmalloc_tlsf.c @@ -388,7 +388,17 @@ void *xmem_pool_alloc(unsigned long size pool->init_region = region; } - size = (size < MIN_BLOCK_SIZE) ? MIN_BLOCK_SIZE : ROUNDUP_SIZE(size); + if ( size < MIN_BLOCK_SIZE ) + size = MIN_BLOCK_SIZE; + else + { + tmp_size = ROUNDUP_SIZE(size); + /* Guard against overflow. */ + if ( tmp_size < size ) + return NULL; + size = tmp_size; + } + /* Rounding up the requested size and calculating fl and sl */ spin_lock(&pool->lock); @@ -583,6 +593,10 @@ void *_xmalloc(unsigned long size, unsig align = MEM_ALIGN; size += align - MEM_ALIGN; + /* Guard against overflow. */ + if ( size < align - MEM_ALIGN ) + return NULL; + if ( !xenpool ) tlsf_init();
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor