From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: j.martin@pengutronix.de, Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH master 2/2] tlsf: fix internal overflow trying to allocate big buffers
Date: Mon, 23 May 2022 08:27:56 +0200 [thread overview]
Message-ID: <20220523062756.774153-2-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20220523062756.774153-1-a.fatoum@pengutronix.de>
The function adjust_request_size() has an unhandled failure mode:
If aligning a buffer up overflows SIZE_MAX, it will compute a way to
short buffer instead of propagating an error. Fix this by returning
0 in this case and checking for 0 whereever the function is called.
0 is a safe choice for an error code, because the function returns
at least block_size_min on success and 0 was already an error code
(that was just never handled).
Reported-by: Jonas Martin <j.martin@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/tlsf.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/common/tlsf.c b/common/tlsf.c
index 520cce496ef6..3ca58e3abbfb 100644
--- a/common/tlsf.c
+++ b/common/tlsf.c
@@ -313,7 +313,7 @@ static size_t adjust_request_size(size_t size, size_t align)
const size_t aligned = align_up(size, align);
/* aligned sized must not exceed block_size_max or we'll go out of bounds on sl_bitmap */
- if (aligned < block_size_max)
+ if (aligned >= size && aligned < block_size_max)
{
adjust = tlsf_max(aligned, block_size_min);
}
@@ -942,7 +942,12 @@ void* tlsf_malloc(tlsf_t tlsf, size_t size)
{
control_t* control = tlsf_cast(control_t*, tlsf);
const size_t adjust = adjust_request_size(size, ALIGN_SIZE);
- block_header_t* block = block_locate_free(control, adjust);
+ block_header_t* block;
+
+ if (!adjust)
+ return NULL;
+
+ block = block_locate_free(control, adjust);
return block_prepare_used(control, block, adjust, size);
}
@@ -969,7 +974,12 @@ void* tlsf_memalign(tlsf_t tlsf, size_t align, size_t size)
*/
const size_t aligned_size = (adjust && align > ALIGN_SIZE) ? size_with_gap : adjust;
- block_header_t* block = block_locate_free(control, aligned_size);
+ block_header_t* block;
+
+ if (!adjust || !size_with_gap)
+ return NULL;
+
+ block = block_locate_free(control, aligned_size);
/* This can't be a static assert. */
tlsf_assert(sizeof(block_header_t) == block_size_min + block_header_overhead);
@@ -1059,6 +1069,9 @@ void* tlsf_realloc(tlsf_t tlsf, void* ptr, size_t size)
tlsf_assert(!block_is_free(block) && "block already marked as free");
+ if (!adjust)
+ return NULL;
+
/*
** If the next block is used, or when combined with the current
** block, does not offer enough space, we must reallocate and copy.
--
2.30.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2022-05-23 8:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 6:27 [PATCH master 1/2] test: self: add basic testing for malloc() Ahmad Fatoum
2022-05-23 6:27 ` Ahmad Fatoum [this message]
2022-05-24 7:04 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220523062756.774153-2-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=j.martin@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox