From: Rasmus Villemoes <ravi@prevas.dk>
To: Aristo Chen <aristo.chen@canonical.com>
Cc: u-boot@lists.denx.de, Tom Rini <trini@konsulko.com>
Subject: Re: [PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r
Date: Thu, 09 Apr 2026 11:50:52 +0200 [thread overview]
Message-ID: <87mrzco41v.fsf@prevas.dk> (raw)
In-Reply-To: <20260408140339.798015-1-aristo.chen@canonical.com> (Aristo Chen's message of "Wed, 8 Apr 2026 14:03:35 +0000")
On Wed, Apr 08 2026, Aristo Chen <aristo.chen@canonical.com> wrote:
> When size == SIZE_MAX, the expression malloc(size + 1) wraps to
> malloc(0) due to unsigned integer overflow. malloc(0) may return a
> non-NULL pointer, causing the subsequent memcpy(data, env, size) to
> write SIZE_MAX bytes into a zero-byte allocation.
>
> This is reachable from the U-Boot console via "env import", where size
> is taken directly from a user-supplied hex argument.
>
> Add an explicit check for SIZE_MAX before the malloc call and return
> EINVAL.
>
> Signed-off-by: Aristo Chen <aristo.chen@canonical.com>
> ---
> lib/hashtable.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/lib/hashtable.c b/lib/hashtable.c
> index 75c263b5053..902fa6f3e98 100644
> --- a/lib/hashtable.c
> +++ b/lib/hashtable.c
> @@ -820,6 +820,13 @@ int himport_r(struct hsearch_data *htab,
> return 0;
> }
>
> + /* Check for potential integer overflow */
> + if (size == SIZE_MAX) {
> + debug("%s: size too large, would overflow\n", __func__);
> + __set_errno(EINVAL);
> + return 0;
> + }
> +
Well, you can corrupt arbitrary memory from the u-boot shell, so "taken
directly from a user-supplied hex argument" is not really a very
compelling argument in the context of U-Boot.
Instead of adding such ad hoc checks that mostly just increase code size
a little, I think it's better to zoom out and see what this really
does. And this is ripe for adding a memdup_nul() helper (linux has that
under the name kmemdup_nul). If we add that, we can do the overflow
check inside that in that one place, and we can convert a lot of similar
users all over the tree, and eliminate quite a lot of #loc.
I'll try to write something.
Rasmus
prev parent reply other threads:[~2026-04-09 9:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 14:03 [PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r Aristo Chen
2026-04-08 14:03 ` [PATCH v1 2/2] test: env: add test for himport_r SIZE_MAX overflow guard Aristo Chen
2026-04-08 17:47 ` [PATCH v1 1/2] lib: hashtable: fix integer overflow in himport_r Stefan Monnier
2026-04-09 9:50 ` Rasmus Villemoes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mrzco41v.fsf@prevas.dk \
--to=ravi@prevas.dk \
--cc=aristo.chen@canonical.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox