Mageia Bugzilla – Attachment 4350 Details for
Bug 11223
glibc - integer overflow in pvalloc, valloc, and memalign (CVE-2013-4332)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
patch from http://www.openwall.com/lists/oss-security/2013/09/12/6
glibc-2.17_CVE-2013-4332.diff (text/plain), 1.95 KB, created by
Oden Eriksson
on 2013-09-13 09:07:11 CEST
(
hide
)
Description:
patch from http://www.openwall.com/lists/oss-security/2013/09/12/6
Filename:
MIME Type:
Creator:
Oden Eriksson
Created:
2013-09-13 09:07:11 CEST
Size:
1.95 KB
patch
obsolete
>From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 >From: mancha <mancha1@hush.com> >Date: Wed, 11 Sep 2013 >Subject: CVE-2013-4332 > >malloc: Check for integer overflow in pvalloc, valloc, and memalign. > >A large bytes parameter to pvalloc, valloc, or memalign could cause >an integer overflow and corrupt allocator internals. Check the >overflow does not occur before continuing with the allocation. > >Note: This is a backport to glibc 2.17 of the following three commits: > * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a > * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef > * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d >--- > >malloc.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >--- a/malloc/malloc.c >+++ b/malloc/malloc.c >@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t > /* Otherwise, ensure that it is at least a minimum chunk size */ > if (alignment < MINSIZE) alignment = MINSIZE; > >+ /* Check for overflow. */ >+ if (bytes > SIZE_MAX - alignment - MINSIZE) >+ { >+ __set_errno (ENOMEM); >+ return 0; >+ } >+ > arena_get(ar_ptr, bytes + alignment + MINSIZE); > if(!ar_ptr) > return 0; >@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) > > size_t pagesz = GLRO(dl_pagesize); > >+ /* Check for overflow. */ >+ if (bytes > SIZE_MAX - pagesz - MINSIZE) >+ { >+ __set_errno (ENOMEM); >+ return 0; >+ } >+ > __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, > const __malloc_ptr_t)) = > force_reg (__memalign_hook); >@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) > size_t page_mask = GLRO(dl_pagesize) - 1; > size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); > >+ /* Check for overflow. */ >+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) >+ { >+ __set_errno (ENOMEM); >+ return 0; >+ } >+ > __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, > const __malloc_ptr_t)) = > force_reg (__memalign_hook);
From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 From: mancha <mancha1@hush.com> Date: Wed, 11 Sep 2013 Subject: CVE-2013-4332 malloc: Check for integer overflow in pvalloc, valloc, and memalign. A large bytes parameter to pvalloc, valloc, or memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. Note: This is a backport to glibc 2.17 of the following three commits: * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d --- malloc.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; @@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, const __malloc_ptr_t)) = force_reg (__memalign_hook); @@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) size_t page_mask = GLRO(dl_pagesize) - 1; size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + /* Check for overflow. */ + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, const __malloc_ptr_t)) = force_reg (__memalign_hook);
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 11223
: 4350