[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Minios-devel] [UNIKRAFT PATCH] lib/ukalloc: fix multiple unsigned overflows

+ make sure realsize does not overflow in uk_malloc_ifpages and
  uk_posix_memalign_ifpages.
+ make sure to not overflow when converting the number of pages to a
  size in bytes in uk_palloc_compat.
+ make sure to not overflow when computing array size in
  uk_calloc_compat. POSIX is not very clear about this, but both
  OpenBSD and Linux do check this.

size_t and ulong overflows are unsigned overflows, thus well defined.
We can check for overflow via new_value < value.

Signed-off-by: Hugo Lefeuvre <hugo.lefeuvre@xxxxxxxxx>
---
 lib/ukalloc/alloc.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/ukalloc/alloc.c b/lib/ukalloc/alloc.c
index 2d16057..c0c9730 100644
--- a/lib/ukalloc/alloc.c
+++ b/lib/ukalloc/alloc.c
@@ -169,7 +169,8 @@ void *uk_malloc_ifpages(struct uk_alloc *a, size_t size)
        size_t realsize = sizeof(*metadata) + size;
 
        UK_ASSERT(a);
-       if (!size)
+       /* check for invalid size and overflow */
+       if (!size || realsize < size)
                return NULL;
 
        num_pages = size_to_num_pages(realsize);
@@ -271,6 +272,11 @@ int uk_posix_memalign_ifpages(struct uk_alloc *a,
         * order to be sure to find an aligned pointer preceding `size` bytes.
         */
        realsize = size + padding + align;
+
+       /* check for overflow */
+       if (realsize < size)
+               return EINVAL;
+
        num_pages = size_to_num_pages(realsize);
        intptr = (uintptr_t) uk_palloc(a, num_pages);
 
@@ -282,7 +288,7 @@ int uk_posix_memalign_ifpages(struct uk_alloc *a,
 
        metadata = uk_get_metadata(*memptr);
 
-       /* check for underflow */
+       /* check for underflow (should not happen) */
        UK_ASSERT(intptr <= (uintptr_t) metadata);
 
        metadata->num_pages = num_pages;
@@ -308,6 +314,10 @@ void *uk_palloc_compat(struct uk_alloc *a, unsigned long 
num_pages)
 
        UK_ASSERT(a);
 
+       /* check for overflow */
+       if (num_pages > (~(size_t)0)/__PAGE_SIZE)
+               return NULL;
+
        if (uk_posix_memalign(a, &ptr, __PAGE_SIZE, num_pages * __PAGE_SIZE))
                return NULL;
 
@@ -342,6 +352,10 @@ void *uk_calloc_compat(struct uk_alloc *a, size_t nmemb, 
size_t size)
        void *ptr;
        size_t tlen = nmemb * size;
 
+       /* check for overflow */
+       if (nmemb > (~(size_t)0)/size)
+               return NULL;
+
        UK_ASSERT(a);
        ptr = uk_malloc(a, tlen);
        if (!ptr)
-- 
2.24.1

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Minios-devel mailing list
Minios-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/minios-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.