* [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc()
@ 2021-08-18 22:03 Michael D Kinney
2021-08-18 22:08 ` [edk2-devel] " Rebecca Cran
0 siblings, 1 reply; 3+ messages in thread
From: Michael D Kinney @ 2021-08-18 22:03 UTC (permalink / raw)
To: devel; +Cc: Rebecca Cran, Yitzhak Briskman, Jian J Wang, Yonghong Zhu
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1510
Check for addition overflow in malloc() when computing NodeSize
and return error if overflow is detected.
Cc: Rebecca Cran <rebecca@nuviainc.com>
Cc: Yitzhak Briskman <yitzhak.briskman@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
---
StdLib/LibC/StdLib/Malloc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c
index c131b9e..7bf8827 100644
--- a/StdLib/LibC/StdLib/Malloc.c
+++ b/StdLib/LibC/StdLib/Malloc.c
@@ -94,6 +94,12 @@ malloc(size_t Size)
return NULL;
}
+ if ((Size + sizeof(CPOOL_HEAD)) < Size) {
+ RetVal = NULL;
+ errno = ENOMEM;
+ DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n"));
+ }
+
NodeSize = (UINTN)(Size + sizeof(CPOOL_HEAD));
DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));
--
2.32.0.windows.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc()
2021-08-18 22:03 [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc() Michael D Kinney
@ 2021-08-18 22:08 ` Rebecca Cran
2021-08-18 22:18 ` Michael D Kinney
0 siblings, 1 reply; 3+ messages in thread
From: Rebecca Cran @ 2021-08-18 22:08 UTC (permalink / raw)
To: devel, michael.d.kinney; +Cc: Yitzhak Briskman, Jian J Wang, Yonghong Zhu
Reviewed-by: Rebecca Cran <rebecca@nuviainc.com>
Not sure the first \n is needed though.
--
Rebecca Cran
On 8/18/21 4:03 PM, Michael D Kinney wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1510
>
> Check for addition overflow in malloc() when computing NodeSize
> and return error if overflow is detected.
>
> Cc: Rebecca Cran <rebecca@nuviainc.com>
> Cc: Yitzhak Briskman <yitzhak.briskman@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Yonghong Zhu <yonghong.zhu@intel.com>
> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
> ---
> StdLib/LibC/StdLib/Malloc.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c
> index c131b9e..7bf8827 100644
> --- a/StdLib/LibC/StdLib/Malloc.c
> +++ b/StdLib/LibC/StdLib/Malloc.c
> @@ -94,6 +94,12 @@ malloc(size_t Size)
> return NULL;
> }
>
> + if ((Size + sizeof(CPOOL_HEAD)) < Size) {
> + RetVal = NULL;
> + errno = ENOMEM;
> + DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n"));
> + }
> +
> NodeSize = (UINTN)(Size + sizeof(CPOOL_HEAD));
>
> DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc()
2021-08-18 22:08 ` [edk2-devel] " Rebecca Cran
@ 2021-08-18 22:18 ` Michael D Kinney
0 siblings, 0 replies; 3+ messages in thread
From: Michael D Kinney @ 2021-08-18 22:18 UTC (permalink / raw)
To: devel@edk2.groups.io, rebecca@nuviainc.com, Kinney, Michael D
Cc: Briskman, Yitzhak, Wang, Jian J, Zhu, Yonghong
I just followed the DEBUG() message style in the rest of the malloc() function.
It does guarantee that the message starts at the left column, which is important
if the same console is used for both stdout and DEBUG() which can happen for
UEFI Applications.
PEI/DXE/MM/SMM components may have a dedicated device for DEBUG() messages or
may run before the local console is initialized, so the extra \n is not needed.
Mike
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Rebecca Cran
> Sent: Wednesday, August 18, 2021 3:08 PM
> To: devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>
> Cc: Briskman, Yitzhak <yitzhak.briskman@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Zhu, Yonghong
> <yonghong.zhu@intel.com>
> Subject: Re: [edk2-devel] [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc()
>
> Reviewed-by: Rebecca Cran <rebecca@nuviainc.com>
>
>
> Not sure the first \n is needed though.
>
>
> --
>
> Rebecca Cran
>
>
> On 8/18/21 4:03 PM, Michael D Kinney wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1510
> >
> > Check for addition overflow in malloc() when computing NodeSize
> > and return error if overflow is detected.
> >
> > Cc: Rebecca Cran <rebecca@nuviainc.com>
> > Cc: Yitzhak Briskman <yitzhak.briskman@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Yonghong Zhu <yonghong.zhu@intel.com>
> > Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
> > ---
> > StdLib/LibC/StdLib/Malloc.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c
> > index c131b9e..7bf8827 100644
> > --- a/StdLib/LibC/StdLib/Malloc.c
> > +++ b/StdLib/LibC/StdLib/Malloc.c
> > @@ -94,6 +94,12 @@ malloc(size_t Size)
> > return NULL;
> > }
> >
> > + if ((Size + sizeof(CPOOL_HEAD)) < Size) {
> > + RetVal = NULL;
> > + errno = ENOMEM;
> > + DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n"));
> > + }
> > +
> > NodeSize = (UINTN)(Size + sizeof(CPOOL_HEAD));
> >
> > DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-18 22:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-18 22:03 [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc() Michael D Kinney
2021-08-18 22:08 ` [edk2-devel] " Rebecca Cran
2021-08-18 22:18 ` Michael D Kinney
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox