| From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001 |
| From: Arjun Shankar <arjun@redhat.com> |
| Date: Thu, 30 Nov 2017 13:31:45 +0100 |
| Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ |
| #22375] |
| |
| When the per-thread cache is enabled, __libc_malloc uses request2size (which |
| does not perform an overflow check) to calculate the chunk size from the |
| requested allocation size. This leads to an integer overflow causing malloc |
| to incorrectly return the last successfully allocated block when called with |
| a very large size argument (close to SIZE_MAX). |
| |
| This commit uses checked_request2size instead, removing the overflow. |
| |
| (cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6) |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-17426 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| ChangeLog | 7 +++++++ |
| NEWS | 6 ++++++ |
| malloc/malloc.c | 3 ++- |
| 3 files changed, 15 insertions(+), 1 deletion(-) |
| |
| Index: git/NEWS |
| =================================================================== |
| --- git.orig/NEWS |
| +++ git/NEWS |
| @@ -4,6 +4,8 @@ See the end for copying conditions. |
| |
| Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> |
| using `glibc' in the "product" field. |
| + |
| +[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) |
| |
| Version 2.26 |
| |
| @@ -215,6 +217,11 @@ Security related changes: |
| for AT_SECURE or SUID binaries could be used to load libraries from the |
| current directory. |
| |
| + CVE-2017-17426: The malloc function, when called with an object size near |
| + the value SIZE_MAX, would return a pointer to a buffer which is too small, |
| + instead of NULL. This was a regression introduced with the new malloc |
| + thread cache in glibc 2.26. Reported by Iain Buclaw. |
| + |
| The following bugs are resolved with this release: |
| |
| [984] network: Respond to changed resolv.conf in gethostbyname |
| Index: git/malloc/malloc.c |
| =================================================================== |
| --- git.orig/malloc/malloc.c |
| +++ git/malloc/malloc.c |
| @@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes) |
| return (*hook)(bytes, RETURN_ADDRESS (0)); |
| #if USE_TCACHE |
| /* int_free also calls request2size, be careful to not pad twice. */ |
| - size_t tbytes = request2size (bytes); |
| + size_t tbytes; |
| + checked_request2size (bytes, tbytes); |
| size_t tc_idx = csize2tidx (tbytes); |
| |
| MAYBE_INIT_TCACHE (); |
| Index: git/ChangeLog |
| =================================================================== |
| --- git.orig/ChangeLog |
| +++ git/ChangeLog |
| @@ -1,3 +1,10 @@ |
| +2017-11-30 Arjun Shankar <arjun@redhat.com> |
| + |
| + [BZ #22375] |
| + CVE-2017-17426 |
| + * malloc/malloc.c (__libc_malloc): Use checked_request2size |
| + instead of request2size. |
| + |
| 2017-12-30 Aurelien Jarno <aurelien@aurel32.net> |
| Dmitry V. Levin <ldv@altlinux.org> |
| |