Bug#167902: libc6 security patch
Package: libc6
Severity: grave
Tags: woody, patch
This patch from august is still not applied to our libc6.
Wichert.
----- Forwarded message from Solar Designer <solar@openwall.com> -----
From: Solar Designer <solar@openwall.com>
Subject: glibc xdr_array and calloc patches
Date: Thu, 1 Aug 2002 10:32:07 +0400
Message-ID: <20020801103207.A25631@openwall.com>
X-Spam-Level:
Attached are the two patches against glibc 2.1.3. Whoever first ports
them to the CVS version or 2.2.5 please post here for others to use
and also provide them to the glibc maintainers. It should be trivial
to port (the xdr_array applies with exception for the added #include
and the calloc will need some obvious manual editing).
Both problems were still not fixed in the glibc CVS as of a few hours
ago.
--
/sd
diff -ur glibc-2.1.3.orig/sunrpc/rpc/types.h glibc-2.1.3/sunrpc/rpc/types.h
--- glibc-2.1.3.orig/sunrpc/rpc/types.h Fri Oct 16 13:43:49 1998
+++ glibc-2.1.3/sunrpc/rpc/types.h Thu Aug 1 09:06:38 2002
@@ -55,6 +55,10 @@
#include <stdlib.h> /* For malloc decl. */
#define mem_alloc(bsize) malloc(bsize)
+/*
+ * XXX: This must not use the second argument, or code in xdr_array.c needs
+ * to be modified.
+ */
#define mem_free(ptr, bsize) free(ptr)
#ifndef makedev /* ie, we haven't already included it */
diff -ur glibc-2.1.3.orig/sunrpc/xdr_array.c glibc-2.1.3/sunrpc/xdr_array.c
--- glibc-2.1.3.orig/sunrpc/xdr_array.c Thu Jul 16 15:23:51 1998
+++ glibc-2.1.3/sunrpc/xdr_array.c Thu Aug 1 09:07:45 2002
@@ -44,6 +44,7 @@
#include <string.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
+#include <limits.h>
#define LASTUNSIGNED ((u_int)0-1)
@@ -76,7 +77,11 @@
return FALSE;
}
c = *sizep;
- if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+ /*
+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+ * doesn't actually use its second argument anyway.
+ */
+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}
diff -ur glibc-2.1.3.orig/malloc/malloc.c glibc-2.1.3/malloc/malloc.c
--- glibc-2.1.3.orig/malloc/malloc.c Wed Feb 23 10:02:55 2000
+++ glibc-2.1.3/malloc/malloc.c Thu Aug 1 09:24:10 2002
@@ -3656,12 +3656,20 @@
{
arena *ar_ptr;
mchunkptr p, oldtop;
- INTERNAL_SIZE_T sz, csz, oldtopsize;
+ INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
Void_t* mem;
+ /* size_t is unsigned so the behavior on overflow is defined;
+ * request2size() uses similar post-checks anyway. */
+ bytes = n * elem_size;
+ if (bytes / elem_size != n) {
+ __set_errno (ENOMEM);
+ return 0;
+ }
+
#if defined _LIBC || defined MALLOC_HOOKS
if (__malloc_hook != NULL) {
- sz = n * elem_size;
+ sz = bytes;
#if defined __GNUC__ && __GNUC__ >= 2
mem = (*__malloc_hook)(sz, __builtin_return_address (0));
#else
@@ -3678,7 +3686,7 @@
}
#endif
- if(request2size(n * elem_size, sz))
+ if(request2size(bytes, sz))
return 0;
arena_get(ar_ptr, sz);
if(!ar_ptr)
----- End forwarded message -----
--
_________________________________________________________________
/wichert@wiggy.net This space intentionally left occupied \
| wichert@deephackmode.org http://www.wiggy.net/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Reply to: