Large size overflow in k_malloc resulting in small chunk instead of failure

Description

Reported by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de> (Principal Security Consultant)

  • kernel/mempool.c

void *k_malloc(size_t size)

{

        struct k_mem_block block;

        /*

         * get a block large enough to hold an initial (hidden) block

         * descriptor, as well as the space the caller requested

         */

        size += sizeof(struct k_mem_block_id);

If a large size is requested, the addition might overflow and lead to a
small chunk being allocated instead of e.g. a proper failure. This could
lead to writes into non-allocated memory.

Environment

None

Assignee

Unassigned

Reporter

Ruud Derwig

Labels

None

Authorized viewers

Maureen Helm

CVE

None

Embargo Lift

None

Fix versions

Priority

Medium
Configure