From f0f74eb107199ff36e2b70103e8fe21b659c8866 Mon Sep 17 00:00:00 2001 From: Will Harris Date: Thu, 2 Mar 2023 16:49:42 +0000 Subject: [Backport] CVE-2023-1219: Heap buffer overflow in Metrics (1/3) Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4279513: Prevent potential integer overflow in PersistentMemoryAllocator BUG=1415328 (cherry picked from commit 19de280a0c28065acf2a7e001af5c981698a461c) Change-Id: I66dcae6a1aacc1310ddd715033b3704c932b9800 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4250177 Commit-Queue: Will Harris Commit-Queue: Alexei Svitkine Cr-Original-Commit-Position: refs/heads/main@{#1105177} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4279513 Commit-Queue: Zakhar Voit Owners-Override: Victor-Gabriel Savu Reviewed-by: Victor-Gabriel Savu Cr-Commit-Position: refs/branch-heads/5359@{#1400} Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468220 Reviewed-by: Michal Klocek --- chromium/base/metrics/persistent_memory_allocator.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc index 1db378acea9..5dc3484abd6 100644 --- a/chromium/base/metrics/persistent_memory_allocator.cc +++ b/chromium/base/metrics/persistent_memory_allocator.cc @@ -546,7 +546,10 @@ size_t PersistentMemoryAllocator::GetAllocSize(Reference ref) const { uint32_t size = block->size; // Header was verified by GetBlock() but a malicious actor could change // the value between there and here. Check it again. - if (size <= sizeof(BlockHeader) || ref + size > mem_size_) { + uint32_t total_size; + if (size <= sizeof(BlockHeader) || + !base::CheckAdd(ref, size).AssignIfValid(&total_size) || + total_size > mem_size_) { SetCorrupt(); return 0; } -- cgit v1.2.1