[riot-notifications] [RIOT-OS/RIOT] pkg/tlsf, cpu/esp_common: fix possible overflow in calloc implementations [backport 2021.04] (#16447)

Kaspar Schleiser notifications at github.com
Wed May 5 11:22:47 CEST 2021


# Backport of #16438

### Contribution description

The documentation of `void *calloc(size_t nmemb, size_t size)` says it should detect overflows in `nmemb * size`, but the two implementation failed to comply. This fixes the issues.

[Some people might consider this a security fix](https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/). (But honestly, there are few legitimate use cases of dynamic memory management on MCUs in general. And using unchecked user input (including data received via network) to compute allocation sizes is something that will still allow resource exhaustion attacks even after the fix. So an application previously vulnerable is still vulnerable, only with one attack vector fewer.)

The preexisting test in `tests/malloc` was updated to also check for correct behavior of `calloc()`.

### Testing procedure

On a 32 bit system the following should result in a blowing assertion on `master`, but no longer with this PR:

```C
    assert(NULL == calloc((1UL << 30), 2));
```

Update: `tests/malloc` will check for correct behavior of `calloc`. It needs however to be modified to actually make use of tlsf.

### Issues/PRs references

Found on twitter: https://twitter.com/mumblegrepper/status/1388058046908219394

(But I cannot find the original bug report the tweet is referring to.)
You can view, comment on, or merge this pull request online at:

  https://github.com/RIOT-OS/RIOT/pull/16447

-- Commit Summary --

  * pkg/tlsf: fix possible overflow in calloc implementation
  * cpu/esp_common: fix possible overflow in calloc implementation

-- File Changes --

    M cpu/esp_common/syscalls.c (8)
    M pkg/tlsf/contrib/newlib.c (8)

-- Patch Links --

https://github.com/RIOT-OS/RIOT/pull/16447.patch
https://github.com/RIOT-OS/RIOT/pull/16447.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/pull/16447
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20210505/6528de2a/attachment.htm>


More information about the notifications mailing list