Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
This commit is contained in:
Siddhesh Poyarekar
parent
db59a6354f
commit
349064e5e6
46
glibc-rh1008299.patch
Normal file
46
glibc-rh1008299.patch
Normal file
@ -0,0 +1,46 @@
|
||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
||||
index 3148c5f..f7718a9 100644
|
||||
--- a/malloc/malloc.c
|
||||
+++ b/malloc/malloc.c
|
||||
@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
|
||||
/* Otherwise, ensure that it is at least a minimum chunk size */
|
||||
if (alignment < MINSIZE) alignment = MINSIZE;
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
arena_get(ar_ptr, bytes + alignment + MINSIZE);
|
||||
if(!ar_ptr)
|
||||
return 0;
|
||||
@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
|
||||
|
||||
size_t pagesz = GLRO(dl_pagesize);
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - pagesz - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
void *(*hook) (size_t, size_t, const void *) =
|
||||
force_reg (__memalign_hook);
|
||||
if (__builtin_expect (hook != NULL, 0))
|
||||
@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
|
||||
size_t page_mask = GLRO(dl_pagesize) - 1;
|
||||
size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
void *(*hook) (size_t, size_t, const void *) =
|
||||
force_reg (__memalign_hook);
|
||||
if (__builtin_expect (hook != NULL, 0))
|
||||
@ -1,6 +1,6 @@
|
||||
%define glibcsrcdir glibc-2.18
|
||||
%define glibcversion 2.18
|
||||
%define glibcrelease 6%{?dist}
|
||||
%define glibcrelease 7%{?dist}
|
||||
# Pre-release tarballs are pulled in from git using a command that is
|
||||
# effectively:
|
||||
#
|
||||
@ -184,6 +184,7 @@ Patch0042: %{name}-rh970865.patch
|
||||
# Patches from upstream
|
||||
#
|
||||
Patch1001: %{name}-rh995841.patch
|
||||
Patch1002: %{name}-rh1008299.patch
|
||||
|
||||
#
|
||||
# Patches submitted, but not yet approved upstream.
|
||||
@ -543,6 +544,7 @@ package or when debugging this package.
|
||||
%patch0042 -p1
|
||||
%patch2029 -p1
|
||||
%patch2030 -p1
|
||||
%patch1002 -p1
|
||||
|
||||
##############################################################################
|
||||
# %%prep - Additional prep required...
|
||||
@ -1628,6 +1630,9 @@ rm -f *.filelist*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Sep 16 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.18-7
|
||||
- Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
|
||||
|
||||
* Thu Aug 29 2013 Carlos O'Donell <carlos@redhat.com> - 2.18-6
|
||||
- Fix Power build (#997531).
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user