diff options
author | Will Harris <wfh@chromium.org> | 2023-03-02 17:21:30 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-04 11:25:49 +0000 |
commit | ca58730e230cacf8eb0e97ac070f8e3beed8c738 (patch) | |
tree | 3027f8e164e0d412cdd41ff8ac7e65d070c5de28 | |
parent | c1d9b7fd4fa278262704795779b7e9011c102566 (diff) | |
download | qtwebengine-chromium-ca58730e230cacf8eb0e97ac070f8e3beed8c738.tar.gz |
[Backport] CVE-2023-1219: Heap buffer overflow in Metrics (3/3)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4280124:
Prevent potential integer overflow in PersistentMemoryAllocator
https://crrev.com/c/4250177 added an extra check for potential
integer overflow in GetAllocSize but forgot to add the same
check in GetBlock.
This meant that it was possible to get a pointer to a block
but calling GetAllocSize on the same block would return zero.
This change makes the two functions consistent with each other
so calling GetBlock on invalid data will return nullptr.
BUG=1417317,1415328
(cherry picked from commit 81be8e8f2e13a9f1fe6d3150205a3c13af1db6e9)
Change-Id: I8eb3d91bae4528fc97517d202baf337536a4c81f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4264177
Commit-Queue: Alexei Svitkine <asvitkine@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1107105}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4280124
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Commit-Queue: Zakhar Voit <voit@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1402}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469842
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/base/metrics/persistent_memory_allocator.cc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc index 015ec5cf288..7143bb7d294 100644 --- a/chromium/base/metrics/persistent_memory_allocator.cc +++ b/chromium/base/metrics/persistent_memory_allocator.cc @@ -888,8 +888,13 @@ PersistentMemoryAllocator::GetBlock(Reference ref, uint32_t type_id, if (ref % kAllocAlignment != 0) return nullptr; size += sizeof(BlockHeader); - if (ref + size > mem_size_) + uint32_t total_size; + if (!base::CheckAdd(ref, size).AssignIfValid(&total_size)) { + return nullptr; + } + if (total_size > mem_size_) { return nullptr; + } // Validation of referenced block-header. if (!free_ok) { @@ -899,8 +904,13 @@ PersistentMemoryAllocator::GetBlock(Reference ref, uint32_t type_id, return nullptr; if (block->size < size) return nullptr; - if (ref + block->size > mem_size_) + uint32_t block_size; + if (!base::CheckAdd(ref, block->size).AssignIfValid(&block_size)) { return nullptr; + } + if (block_size > mem_size_) { + return nullptr; + } if (type_id != 0 && block->type_id.load(std::memory_order_relaxed) != type_id) { return nullptr; |