diff --git a/meta-initramfs/recipes-devtools/klibc/files/CVE-2021-31870.patch b/meta-initramfs/recipes-devtools/klibc/files/CVE-2021-31870.patch new file mode 100644 index 0000000000..028b5d395e --- /dev/null +++ b/meta-initramfs/recipes-devtools/klibc/files/CVE-2021-31870.patch @@ -0,0 +1,45 @@ +From 15c0e066ac8a75bdb3189dd5d77dc0f3539afefd Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Wed, 28 Apr 2021 04:29:50 +0200 +Subject: [PATCH] calloc: Fail if multiplication overflows + +calloc() multiplies its 2 arguments together and passes the result to +malloc(). Since the factors and product both have type size_t, this +can result in an integer overflow and subsequent buffer overflow. +Check for this and fail if it happens. + +CVE-2021-31870 + +CVE: CVE-2021-31870 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2] + +Signed-off-by: Ben Hutchings +--- + usr/klibc/calloc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c +index 53dcc6b..4a81cda 100644 +--- a/usr/klibc/calloc.c ++++ b/usr/klibc/calloc.c +@@ -2,12 +2,17 @@ + * calloc.c + */ + ++#include + #include + #include + +-/* FIXME: This should look for multiplication overflow */ +- + void *calloc(size_t nmemb, size_t size) + { +- return zalloc(nmemb * size); ++ unsigned long prod; ++ ++ if (__builtin_umull_overflow(nmemb, size, &prod)) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ return zalloc(prod); + } diff --git a/meta-initramfs/recipes-devtools/klibc/klibc.inc b/meta-initramfs/recipes-devtools/klibc/klibc.inc index ceb4f5ad3b..dd22282b40 100644 --- a/meta-initramfs/recipes-devtools/klibc/klibc.inc +++ b/meta-initramfs/recipes-devtools/klibc/klibc.inc @@ -21,6 +21,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/klibc/2.0/klibc-${PV}.tar.xz \ file://0001-klibc-Kbuild-Accept-EXTRA_KLIBCAFLAGS.patch \ file://cross-clang.patch \ file://0001-workaround-for-overlapping-sections-in-binary.patch \ + file://CVE-2021-31870.patch \ " ARMPATCHES ?= ""