diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch')
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/import-layers/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch new file mode 100644 index 000000000..c7d1cb86d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch @@ -0,0 +1,80 @@ +From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001 +From: Arjun Shankar <arjun@redhat.com> +Date: Thu, 30 Nov 2017 13:31:45 +0100 +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ + #22375] + +When the per-thread cache is enabled, __libc_malloc uses request2size (which +does not perform an overflow check) to calculate the chunk size from the +requested allocation size. This leads to an integer overflow causing malloc +to incorrectly return the last successfully allocated block when called with +a very large size argument (close to SIZE_MAX). + +This commit uses checked_request2size instead, removing the overflow. + +(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6) + +Upstream-Status: Backport +CVE: CVE-2017-17426 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 7 +++++++ + NEWS | 6 ++++++ + malloc/malloc.c | 3 ++- + 3 files changed, 15 insertions(+), 1 deletion(-) + +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -4,6 +4,8 @@ See the end for copying conditions. + + Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> + using `glibc' in the "product" field. ++ ++[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) + + Version 2.26 + +@@ -215,6 +217,11 @@ Security related changes: + for AT_SECURE or SUID binaries could be used to load libraries from the + current directory. + ++ CVE-2017-17426: The malloc function, when called with an object size near ++ the value SIZE_MAX, would return a pointer to a buffer which is too small, ++ instead of NULL. This was a regression introduced with the new malloc ++ thread cache in glibc 2.26. Reported by Iain Buclaw. ++ + The following bugs are resolved with this release: + + [984] network: Respond to changed resolv.conf in gethostbyname +Index: git/malloc/malloc.c +=================================================================== +--- git.orig/malloc/malloc.c ++++ git/malloc/malloc.c +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes) + return (*hook)(bytes, RETURN_ADDRESS (0)); + #if USE_TCACHE + /* int_free also calls request2size, be careful to not pad twice. */ +- size_t tbytes = request2size (bytes); ++ size_t tbytes; ++ checked_request2size (bytes, tbytes); + size_t tc_idx = csize2tidx (tbytes); + + MAYBE_INIT_TCACHE (); +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,10 @@ ++2017-11-30 Arjun Shankar <arjun@redhat.com> ++ ++ [BZ #22375] ++ CVE-2017-17426 ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size ++ instead of request2size. ++ + 2017-12-30 Aurelien Jarno <aurelien@aurel32.net> + Dmitry V. Levin <ldv@altlinux.org> + |