If size is greater than (UINT32_MAX - SIZEOF_MM_ALLOCNODE), malloc size can be overflow by MM_ALIGN_UP macro. For example, if task_create() called with stack_size == -1, up_create_stack() functions allocates SIZEOF_MM_ALLOCNODE bytes for stack.

This can cause data abort in up_stack_color() function.
2026-05-23 14:58:13 +08:00 · 2017-10-17 06:37:09 -06:00
parent 5d6ecfa3ca
commit 196911d4fa
1 changed files with 7 additions and 2 deletions
@@ -1,7 +1,8 @@
 /****************************************************************************
 * mm/mm_heap/mm_malloc.c
 *
- *   Copyright (C) 2007, 2009, 2013-2014  Gregory Nutt. All rights reserved.
+ *   Copyright (C) 2007, 2009, 2013-2014, 2017  Gregory Nutt. All rights
+ *     reserved.
 *   Author: Gregory Nutt <gnutt@nuttx.org>
 *
 * Redistribution and use in source and binary forms, with or without
@@ -75,7 +76,11 @@ FAR void *mm_malloc(FAR struct mm_heap_s *heap, size_t size)

  /* Handle bad sizes */

-  if (size < 1)
+#ifndef CONFIG_MM_SMALL
+  if (size < 1 || size > (UINT32_MAX - SIZEOF_MM_ALLOCNODE))
+#else
+  if (size < 1 || size > (UINT16_MAX - SIZEOF_MM_ALLOCNODE))
+#endif
    {
      return NULL;
    }