JehanneOS/mksh
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

• Address concerns of Chris Palmer from the Android security team

Browse Source 
– possible integer overflows in memory allocation, mostly
    ‣ multiplication: all are checked now
    ‣ addition: reviewed them, most were “proven” or guessed to be
      “almost” impossible to run over (e.g. when we have a string
      whose length is taken it is assumed that the length will be
      more than only a few bytes below SIZE_MAX, since code and
      stack have to fit); some are checked now (e.g. when one of
      the summands is an off_t); most of the unchecked ones are
      annotated now
    ⇒ cost (MirBSD/i386 static): +76 .text
    ⇒ cost (Debian sid/i386): +779 .text  -4 .data
  – on Linux targets, setuid() setresuid() setresgid() can fail
    with EAGAIN; check for that and, if so, warn once and retry
    infinitely (other targets to be added later once we know that
    they are “insane”)
    ⇒ cost (Debian sid/i386): +192 .text (includes .rodata)
• setmode.c: Do overflow checking for realloc() too; switch back
  from calloc() to a checked malloc() for simplification while there
• define -DIN_MKSH and let setmode.c look a tad nicer while here
This commit is contained in:
tg
2010-09-14 21:26:19 +00:00
parent 08862021ee
commit 667d792d6a
18 changed files with 204 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lalloc.c
View File

@ -20,7 +20,7 @@
#include "sh.h"
__RCSID("$MirOS: src/bin/mksh/lalloc.c,v 1.12 2010/08/28 20:22:19 tg Exp $");
__RCSID("$MirOS: src/bin/mksh/lalloc.c,v 1.13 2010/09/14 21:26:14 tg Exp $");
/* build with CPPFLAGS+= -DUSE_REALLOC_MALLOC=0 on ancient systems */
#if defined(USE_REALLOC_MALLOC) && (USE_REALLOC_MALLOC == 0)
@ -67,6 +67,15 @@ findptr(ALLOC_ITEM **lpp, char *ptr, Area *ap)
return (ap);
}
void *
aresize2(void *ptr, size_t fac1, size_t fac2, Area *ap)
{
if (fac1 && fac2 && (SIZE_MAX / fac1 < fac2))
internal_errorf(T_intovfl, (unsigned long)fac1, '*',
(unsigned long)fac2);
return (aresize(ptr, fac1 * fac2, ap));
}
void *
aresize(void *ptr, size_t numb, Area *ap)
{
@ -80,7 +89,7 @@ aresize(void *ptr, size_t numb, Area *ap)
pp->next = lp->next;
}
if ((numb >= SIZE_MAX - ALLOC_SIZE) ||
if (notoktoadd(numb, ALLOC_SIZE) ||
(lp = remalloc(lp, numb + ALLOC_SIZE)) == NULL
#ifndef MKSH_SMALL
|| ALLOC_ISUNALIGNED(lp)