r5862 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Author: aurel32
Date: 2013-12-03 21:10:27 +0000 (Tue, 03 Dec 2013)
New Revision: 5862
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4332.diff
Modified:
glibc-package/branches/glibc-branch-wheezy/debian/changelog
glibc-package/branches/glibc-branch-wheezy/debian/patches/series
Log:
patches/any/cvs-CVE-2013-4332.diff: backport integer overflow fixes
in pvalloc, valloc, posix_memalign, memalign and aligned_alloc functions,
addressing CVE-2013-4332 (Closes: #722536).
Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2013-12-03 20:31:45 UTC (rev 5861)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2013-12-03 21:10:27 UTC (rev 5862)
@@ -17,6 +17,9 @@
* patches/any/cvs-CVE-2013-4458.diff: backport stack (frame) overflow fixes
in getaddrinfo() when called with AF_INET6, addressing CVE-2013-4458
(Closes: #727181).
+ * patches/any/cvs-CVE-2013-4332.diff: backport integer overflow fixes
+ in pvalloc, valloc, posix_memalign, memalign and aligned_alloc functions,
+ addressing CVE-2013-4332 (Closes: #722536).
* patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
#718890, #730336).
Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4332.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4332.diff (rev 0)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4332.diff 2013-12-03 21:10:27 UTC (rev 5862)
@@ -0,0 +1,110 @@
+2013-10-30 Will Newton <will.newton@linaro.org>
+
+ [BZ #16038]
+ * malloc/hooks.c (memalign_check): Limit alignment to the
+ maximum representable power of two.
+ * malloc/malloc.c (__libc_memalign): Likewise.
+
+2013-10-10 Will Newton <will.newton@linaro.org>
+
+ * malloc/hooks.c (memalign_check): Ensure the value of bytes
+ passed to _int_memalign does not overflow.
+
+2013-09-11 Will Newton <will.newton@linaro.org>
+
+ [BZ #15857]
+ * malloc/malloc.c (__libc_memalign): Check the value of bytes
+ does not overflow.
+
+2013-09-11 Will Newton <will.newton@linaro.org>
+
+ [BZ #15856]
+ * malloc/malloc.c (__libc_valloc): Check the value of bytes
+ does not overflow.
+
+2013-09-11 Will Newton <will.newton@linaro.org>
+
+ [BZ #15855]
+ * malloc/malloc.c (__libc_pvalloc): Check the value of bytes
+ does not overflow.
+
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3874,6 +3874,21 @@
+ /* Otherwise, ensure that it is at least a minimum chunk size */
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
++ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
++ power of 2 and will cause overflow in the check below. */
++ if (alignment > SIZE_MAX / 2 + 1)
++ {
++ __set_errno (EINVAL);
++ return 0;
++ }
++
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - alignment - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ arena_get(ar_ptr, bytes + alignment + MINSIZE);
+ if(!ar_ptr)
+ return 0;
+@@ -3919,6 +3934,13 @@
+
+ size_t pagesz = mp_.pagesize;
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ __const __malloc_ptr_t)) =
+ force_reg (__memalign_hook);
+@@ -3967,6 +3989,13 @@
+ size_t page_mask = mp_.pagesize - 1;
+ size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ __const __malloc_ptr_t)) =
+ force_reg (__memalign_hook);
+--- a/malloc/hooks.c
++++ b/malloc/hooks.c
+@@ -404,10 +404,21 @@
+ if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
+- if (bytes+1 == 0) {
+- MALLOC_FAILURE_ACTION;
+- return NULL;
+- }
++ /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
++ power of 2 and will cause overflow in the check below. */
++ if (alignment > SIZE_MAX / 2 + 1)
++ {
++ __set_errno (EINVAL);
++ return 0;
++ }
++
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - alignment - MINSIZE)
++ {
++ MALLOC_FAILURE_ACTION;
++ return 0;
++ }
++
+ checked_request2size(bytes+1, nb);
+ (void)mutex_lock(&main_arena.mutex);
+ mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2013-12-03 20:31:45 UTC (rev 5861)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2013-12-03 21:10:27 UTC (rev 5862)
@@ -379,5 +379,6 @@
any/cvs-CVE-2013-0242.diff
any/cvs-CVE-2013-1914.diff
any/cvs-CVE-2013-4237.diff
+any/cvs-CVE-2013-4332.diff
any/cvs-CVE-2013-4458.diff
any/cvs-findlocale-div-by-zero.diff
Reply to: