Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).

Conflicts: glibc.spec
2013-09-16 15:38:55 +05:30 · 2013-09-16 15:38:55 +05:30 · 701d18f90d
commit 701d18f90d
parent 6c0468a163
2 changed files with 52 additions and 1 deletions
--- a/glibc-rh1008299.patch
+++ b/glibc-rh1008299.patch
@ -0,0 +1,46 @@
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 3148c5f..f7718a9 100644
+--- a/malloc/malloc.c
+++ b/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
+   /* Otherwise, ensure that it is at least a minimum chunk size */
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+   arena_get(ar_ptr, bytes + alignment + MINSIZE);
+   if(!ar_ptr)
+     return 0;
+@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
+ 
+   size_t pagesz = GLRO(dl_pagesize);
+ 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ 					const __malloc_ptr_t)) =
+     force_reg (__memalign_hook);
+@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
+   size_t page_mask = GLRO(dl_pagesize) - 1;
+   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+ 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
+   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ 					const __malloc_ptr_t)) =
+     force_reg (__memalign_hook);
--- a/glibc.spec
+++ b/glibc.spec
@ -27,7 +27,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 14%{?dist}
+Release: 15%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@ -129,6 +129,7 @@ Patch1007: %{name}-rh977887-2.patch
 Patch1008: %{name}-rh984829.patch
 Patch1009: %{name}-rh995841.patch
 Patch1010: %{name}-rh947892.patch
+Patch1011: %{name}-rh1008299.patch

 #
 # Patches submitted, but not yet approved upstream.
@ -445,6 +446,7 @@ package or when debugging this package.
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
+%patch1011 -p1

 # On powerpc32, hp timing is only available in power4/power6
 # libs, not in base, so pre-power4 dynamic linker is incompatible
@ -1235,6 +1237,9 @@ rm -f *.filelist*
 %endif

 %changelog
+* Mon Sep 16 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.17-15
+- Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
+
 * Mon Aug 26 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.17-14
 - Add systemd to BuildRequires (#999924).
 - Expand sizes of some types in strcoll (#855399, CVE-2012-4424).