From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web08.61695.1629324491425745934 for ; Wed, 18 Aug 2021 15:08:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@nuviainc-com.20150623.gappssmtp.com header.s=20150623 header.b=e0Vqv0DS; spf=pass (domain: nuviainc.com, ip: 209.85.216.42, mailfrom: rebecca@nuviainc.com) Received: by mail-pj1-f42.google.com with SMTP id om1-20020a17090b3a8100b0017941c44ce4so9904682pjb.3 for ; Wed, 18 Aug 2021 15:08:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nuviainc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=S8uzPTRXIExh+nfYOiyBpbqsppeNBu8A77BAvGIbeSc=; b=e0Vqv0DSmXlkY7dlsBkCJXaaqz5cCwatbdK2+JGLvdIglPk3IUYDZOw3/ozpG4mwOm jPTvc/H+yVdhvMKzzyYOHaeJBQCZlTzwJ8PEzlrD5obikHMZOeJz2k/NdJZi1XA/n3iV lTzPGR9vqSXFtS9EonBUwEgMPwxTxI2eka0wZaMIBe6LZKh2P69aP7ZVOF0lrUHhso8o ZzRNnXGxos792qMyu6kJhGtyD7InfPbA2NTIQU9UJ760mMelRownr9ioxXWSfqMnkQzG xsHiUwk2hfktYwttKHt8CvPG2h7BhFzDmI6RtUb/03wRoWoLrtMaIGLxuYim98SHOSq9 M6ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=S8uzPTRXIExh+nfYOiyBpbqsppeNBu8A77BAvGIbeSc=; b=eILz90Y4vng6Pm68OSWnSLd9D4G2dkbetxIUavb767owdbXBUsceXjKTxSctCZU5oy MuCNwxkBTdFxBA2k0Kb/TtOfcXRU4uP5KKaf+LtmDC41PSbjD4ZsuAMgJOc0B2iztUyh 2/WT6q9Vx5jZHl6OvgyHYnVIyAAHeXv8BHk78iCvd47zKSwO6baGL/0EviL6BTyXsCqG qTA18olDch6Tgu8Tzl60lwBOOZEA86zj8IyVeB266pGddLwgi5/aUg5zPavnEIBaOdlo fpjUCnd0qjvbpTGXP+akRKWflkGODeyORNeF/lXldNKOr2ssLoLufLN2fS/x0i5ocR1s Nbng== X-Gm-Message-State: AOAM530F7nEtgqAzJfiAYRp8ELrYHcPpmYEhBkshr1Mx0+ROHzlHGlfr 0c0yzBDtz+BE+O8HZRwIiQ+1WuXrGZgTNX0c X-Google-Smtp-Source: ABdhPJyzukLDqcBCyp+oUHrnD+sKUZke+/jKlYG+Jcy0YcJEoOAdy9/RMOo3PNRXi+DHjXO4CX90AA== X-Received: by 2002:a17:902:bd07:b029:12c:f4d5:fc6b with SMTP id p7-20020a170902bd07b029012cf4d5fc6bmr9031704pls.31.1629324490991; Wed, 18 Aug 2021 15:08:10 -0700 (PDT) Return-Path: Received: from linbox.int.bluestop.org (c-174-52-16-57.hsd1.ut.comcast.net. [174.52.16.57]) by smtp.gmail.com with ESMTPSA id n23sm796482pgv.76.2021.08.18.15.08.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 18 Aug 2021 15:08:10 -0700 (PDT) Subject: Re: [edk2-devel] [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc() To: devel@edk2.groups.io, michael.d.kinney@intel.com Cc: Yitzhak Briskman , Jian J Wang , Yonghong Zhu References: <20210818220326.339-1-michael.d.kinney@intel.com> From: "Rebecca Cran" Message-ID: <98195237-5de2-ac43-2f33-a5fd01ae4d72@nuviainc.com> Date: Wed, 18 Aug 2021 16:08:09 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <20210818220326.339-1-michael.d.kinney@intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Reviewed-by: Rebecca Cran Not sure the first \n is needed though. -- Rebecca Cran On 8/18/21 4:03 PM, Michael D Kinney wrote: > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1510 > > Check for addition overflow in malloc() when computing NodeSize > and return error if overflow is detected. > > Cc: Rebecca Cran > Cc: Yitzhak Briskman > Cc: Jian J Wang > Cc: Yonghong Zhu > Signed-off-by: Michael D Kinney > --- > StdLib/LibC/StdLib/Malloc.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c > index c131b9e..7bf8827 100644 > --- a/StdLib/LibC/StdLib/Malloc.c > +++ b/StdLib/LibC/StdLib/Malloc.c > @@ -94,6 +94,12 @@ malloc(size_t Size) > return NULL; > } > > + if ((Size + sizeof(CPOOL_HEAD)) < Size) { > + RetVal = NULL; > + errno = ENOMEM; > + DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n")); > + } > + > NodeSize = (UINTN)(Size + sizeof(CPOOL_HEAD)); > > DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));