r5860 - in glibc-package/branches/eglibc-2.18/debian: . patches patches/any
Author: aurel32
Date: 2013-12-03 20:20:00 +0000 (Tue, 03 Dec 2013)
New Revision: 5860
Added:
glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff
Modified:
glibc-package/branches/eglibc-2.18/debian/changelog
glibc-package/branches/eglibc-2.18/debian/patches/series
Log:
patches/any/cvs-CVE-2013-4332-memalign-2.diff: patch from upstream to
address some remaining issues from CVE-2013-4332.
Modified: glibc-package/branches/eglibc-2.18/debian/changelog
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/changelog 2013-12-03 16:33:01 UTC (rev 5859)
+++ glibc-package/branches/eglibc-2.18/debian/changelog 2013-12-03 20:20:00 UTC (rev 5860)
@@ -179,6 +179,8 @@
included in -O2.
* Replace patches/any/submitted-findlocale-div-by-zero.diff by upstream
version patches/any/cvs-findlocale-div-by-zero.diff.
+ * patches/any/cvs-CVE-2013-4332-memalign-2.diff: patch from upstream to
+ address some remaining issues from CVE-2013-4332.
-- Adam Conrad <adconrad@ubuntu.com> Sat, 09 Nov 2013 12:48:20 +0100
Added: glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff (rev 0)
+++ glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff 2013-12-03 20:20:00 UTC (rev 5860)
@@ -0,0 +1,70 @@
+2013-10-30 Will Newton <will.newton@linaro.org>
+
+ [BZ #16038]
+ * malloc/hooks.c (memalign_check): Limit alignment to the
+ maximum representable power of two.
+ * malloc/malloc.c (__libc_memalign): Likewise.
+
+2013-10-10 Will Newton <will.newton@linaro.org>
+
+ * malloc/hooks.c (memalign_check): Ensure the value of bytes
+ passed to _int_memalign does not overflow.
+
+--- a/malloc/hooks.c
++++ b/malloc/hooks.c
+@@ -361,10 +361,13 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
+ if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
+- if (bytes+1 == 0) {
+- __set_errno (ENOMEM);
+- return NULL;
+- }
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - alignment - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ (void)mutex_lock(&main_arena.mutex);
+ mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
+ NULL;
+ 2013-10-30 Ondřej Bílka <neleai@seznam.cz>
+
+ [BZ #11087]
+--- a/malloc/hooks.c
++++ b/malloc/hooks.c
+@@ -361,6 +361,14 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
+ if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
++ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
++ power of 2 and will cause overflow in the check below. */
++ if (alignment > SIZE_MAX / 2 + 1)
++ {
++ __set_errno (EINVAL);
++ return 0;
++ }
++
+ /* Check for overflow. */
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
+ {
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3016,6 +3016,14 @@ __libc_memalign(size_t alignment, size_t bytes)
+ /* Otherwise, ensure that it is at least a minimum chunk size */
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
++ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
++ power of 2 and will cause overflow in the check below. */
++ if (alignment > SIZE_MAX / 2 + 1)
++ {
++ __set_errno (EINVAL);
++ return 0;
++ }
++
+ /* Check for overflow. */
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
+ {
+
Modified: glibc-package/branches/eglibc-2.18/debian/patches/series
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/patches/series 2013-12-03 16:33:01 UTC (rev 5859)
+++ glibc-package/branches/eglibc-2.18/debian/patches/series 2013-12-03 20:20:00 UTC (rev 5860)
@@ -243,6 +243,7 @@
any/cvs-tst-tls-atexit-deps.diff
any/cvs-tst-cleanup2-ret.diff
any/cvs-CVE-2013-4332-memalign.diff
+any/cvs-CVE-2013-4332-memalign-2.diff
any/cvs-CVE-2013-4332-pvalloc.diff
any/cvs-CVE-2013-4332-valloc.diff
any/cvs-CVE-2012-44xx.diff
Reply to: