From: Rasmus Villemoes <ravi@prevas.dk>
To: Aristo Chen <aristo.chen@canonical.com>
Cc: u-boot@lists.denx.de, Tom Rini <trini@konsulko.com>
Subject: Re: [PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r
Date: Thu, 09 Apr 2026 11:50:52 +0200 [thread overview]
Message-ID: <87mrzco41v.fsf@prevas.dk> (raw)
In-Reply-To: <20260408140339.798015-1-aristo.chen@canonical.com> (Aristo Chen's message of "Wed, 8 Apr 2026 14:03:35 +0000")
On Wed, Apr 08 2026, Aristo Chen <aristo.chen@canonical.com> wrote:
> When size == SIZE_MAX, the expression malloc(size + 1) wraps to
> malloc(0) due to unsigned integer overflow. malloc(0) may return a
> non-NULL pointer, causing the subsequent memcpy(data, env, size) to
> write SIZE_MAX bytes into a zero-byte allocation.
>
> This is reachable from the U-Boot console via "env import", where size
> is taken directly from a user-supplied hex argument.
>
> Add an explicit check for SIZE_MAX before the malloc call and return
> EINVAL.
>
> Signed-off-by: Aristo Chen <aristo.chen@canonical.com>
> ---
> lib/hashtable.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/lib/hashtable.c b/lib/hashtable.c
> index 75c263b5053..902fa6f3e98 100644
> --- a/lib/hashtable.c
> +++ b/lib/hashtable.c
> @@ -820,6 +820,13 @@ int himport_r(struct hsearch_data *htab,
> return 0;
> }
>
> + /* Check for potential integer overflow */
> + if (size == SIZE_MAX) {
> + debug("%s: size too large, would overflow\n", __func__);
> + __set_errno(EINVAL);
> + return 0;
> + }
> +
Well, you can corrupt arbitrary memory from the u-boot shell, so "taken
directly from a user-supplied hex argument" is not really a very
compelling argument in the context of U-Boot.
Instead of adding such ad hoc checks that mostly just increase code size
a little, I think it's better to zoom out and see what this really
does. And this is ripe for adding a memdup_nul() helper (linux has that
under the name kmemdup_nul). If we add that, we can do the overflow
check inside that in that one place, and we can convert a lot of similar
users all over the tree, and eliminate quite a lot of #loc.
I'll try to write something.
Rasmus
prev parent reply other threads:[~2026-04-09 9:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 14:03 [PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r Aristo Chen
2026-04-08 14:03 ` [PATCH v1 2/2] test: env: add test for himport_r SIZE_MAX overflow guard Aristo Chen
2026-04-11 17:39 ` Simon Glass
2026-04-08 17:47 ` [PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r Stefan Monnier
2026-04-09 9:50 ` Rasmus Villemoes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mrzco41v.fsf@prevas.dk \
--to=ravi@prevas.dk \
--cc=aristo.chen@canonical.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.