Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security issue: prevent BadAlloc #22

Open
savar opened this issue Aug 18, 2021 · 1 comment
Open

security issue: prevent BadAlloc #22

savar opened this issue Aug 18, 2021 · 1 comment

Comments

@savar
Copy link

savar commented Aug 18, 2021

see: https://msrc-blog.microsoft.com/2021/04/29/badalloc-memory-allocation-vulnerabilities-could-affect-wide-range-of-iot-and-ot-devices-in-industrial-medical-and-enterprise-networks/

in case tlsf_alloc is called with 0xffffffffu on a 32bit system the align_up() function will set the adjusted size to 0 and the tlfs_max() will set it to the minimum which was in my case 12 bytes. Therefore asking TLSF for SIZE_T_MAX (0xffffffff) will not fail with returning NULL but will return a pointer to a 12 byte memory block.

tlsf_alloc is kind of easy to fix, but the _realloc brother is less obvious. So fixing it in adjust_request_size() isn't really working.
@savar
Copy link
Author

savar commented Aug 19, 2021

I just realized, adjust_request_size() can return already 0 in case the aligned value in adjust_request_size() is >= block_size_max and then this might kill tlsf_realloc() as it might call block_trim_used() with an adjust value of 0. Not sure if this is an issue but it looks very much like it.

@savar savar closed this as completed Aug 19, 2021
@savar savar reopened this Aug 19, 2021
@embeddedt embeddedt mentioned this issue May 13, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@savar