CVS commit: src/sys/external/bsd/libnv/dist

["Taylor R Campbell" <riastradh%netbsd.org@localhost>]

Module Name:    src
Committed By:   riastradh
Date:           Wed Sep  4 12:57:00 UTC 2024

Modified Files:
        src/sys/external/bsd/libnv/dist: nv_kern_netbsd.c nvlist.c nvpair.c

Log Message:
libnv: Avoid arithmetic overflow in array allocation.

1. Teach nv_calloc and nv_strdup to detect arithmetic overflow.
2. Convert nv_malloc(sizeof(...) * N) to nv_calloc(N, sizeof(...)).

I reviewed all the remaining nv_malloc calls, because some of them
have the multiplication separated from the nv_malloc call.  Of the
remaining callers:

- nv_calloc (now) checks for overflow
- nv_strdup (now) checks for overflow
- nvlist_create uses a fixed sizeof(...) without arithmetic
- nvlist_xpack doesn't directly check bounds, but as long as the wire
  format is smaller than the in-memory size, that's not a problem
- nvlist_recv checks for sizeof(nvlhdr) + nvlhdr.nvlh_size overflow
- nvpair_unpack_binary uses nvp->nvp_datasize without arithmetic
- nvpair_unpack_bool_array checks for unsigned overflow
- nvpair_unpack_number_array checks for unsigned overflow
- nvpair_unpack_descriptor_array checks for unsigned overflow
- nvpair_create_binary uses caller-supplied size without arithmetic

Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo%FreeBSD.org@localhost>.

CVE-2024-45287

PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
cvs rdiff -u -r1.9 -r1.10 src/sys/external/bsd/libnv/dist/nvlist.c
cvs rdiff -u -r1.11 -r1.12 src/sys/external/bsd/libnv/dist/nvpair.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.