Fix size_t overflow in sa_common.c (GHSL-2022-074)

allocate_structures function located in sa_common.c insufficiently
checks bounds before arithmetic multiplication allowing for an
overflow in the size allocated for the buffer representing system
activities.

This patch checks that the post-multiplied value is not greater than
UINT_MAX.

Signed-off-by: Sebastien <seb@fedora-2.home>

diff --git a/common.c b/common.c
index 81c7762444782235f6bf80597b6829aca6362f2c..1a84b052ee0d5b69eab75dcefb0fe9814834bc83 100644 (file)
--- a/common.c
+++ b/common.c
@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char
 
        return 0;
 }
+
+/*
+ ***************************************************************************
+ * Check if the multiplication of the 3 values may be greater than UINT_MAX.
+ *
+ * IN:
+ * @val1       First value.
+ * @val2       Second value.
+ * @val3       Third value.
+ ***************************************************************************
+ */
+void check_overflow(size_t val1, size_t val2, size_t val3)
+{
+       if ((unsigned long long) val1 *
+           (unsigned long long) val2 *
+           (unsigned long long) val3 > UINT_MAX) {
+#ifdef DEBUG
+               fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+                       __FUNCTION__,
+                       (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3);
+#endif
+       exit(4);
+       }
+}
+
 #endif /* SOURCE_SADC undefined */

diff --git a/common.h b/common.h
index 55b6657d8665f584ad055e6b5b86718bb611aa2f..e8ab98ab038aebdf2addbd2d96bebcdd6c3eded8 100644 (file)
--- a/common.h
+++ b/common.h
@@ -260,6 +260,8 @@ int check_dir
        (char *);
 
 #ifndef SOURCE_SADC
+void check_overflow
+       (size_t, size_t, size_t);
 int count_bits
        (void *, int);
 int count_csvalues

diff --git a/sa_common.c b/sa_common.c
index 3699a840fdc8b224d1af215ede5b28dcde3ea875..b2cec4ad319ce5065d7cd6befdf31d948eed2ae5 100644 (file)
--- a/sa_common.c
+++ b/sa_common.c
@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[])
        int i, j;
 
        for (i = 0; i < NR_ACT; i++) {
+
                if (act[i]->nr_ini > 0) {
+
+                       /* Look for a possible overflow */
+                       check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini,
+                                      (size_t) act[i]->nr2);
+
                        for (j = 0; j < 3; j++) {
                                SREALLOC(act[i]->buf[j], void,
                                                (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2);