r5694 - in glibc-package/trunk/debian: . patches patches/any
Author: adconrad
Date: 2013-09-13 18:10:20 +0000 (Fri, 13 Sep 2013)
New Revision: 5694
Added:
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-memalign.diff
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-pvalloc.diff
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-valloc.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
patches/any/cvs-CVE-2013-4332-*.diff: Backport git fixes for integer
overflows in allocator functions: CVE-2013-4332 (Closes: #722536)
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2013-09-08 03:59:31 UTC (rev 5693)
+++ glibc-package/trunk/debian/changelog 2013-09-13 18:10:20 UTC (rev 5694)
@@ -3,6 +3,8 @@
[ Adam Conrad ]
* patches/any/cvs-tst-cancel4-buf.diff: Increase nptl test case buffer
size to 16384 so we really block on current (>= 3.10) Linux kernels.
+ * patches/any/cvs-CVE-2013-4332-*.diff: Backport git fixes for integer
+ overflows in allocator functions: CVE-2013-4332 (Closes: #722536)
[ Samuel Thibault ]
* patches/hurd-i386/unsubmitted-clock_t_centiseconds.diff: New patch from
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-memalign.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-memalign.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-memalign.diff 2013-09-13 18:10:20 UTC (rev 5694)
@@ -0,0 +1,36 @@
+commit b73ed247781d533628b681f57257dc85882645d3
+Author: Will Newton <will.newton@linaro.org>
+Date: Fri Aug 16 12:54:29 2013 +0100
+
+ malloc: Check for integer overflow in memalign.
+
+ A large bytes parameter to memalign could cause an integer overflow
+ and corrupt allocator internals. Check the overflow does not occur
+ before continuing with the allocation.
+
+ ChangeLog:
+
+ 2013-09-11 Will Newton <will.newton@linaro.org>
+
+ [BZ #15857]
+ * malloc/malloc.c (__libc_memalign): Check the value of bytes
+ does not overflow.
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 3148c5f..f7718a9 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
+ /* Otherwise, ensure that it is at least a minimum chunk size */
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - alignment - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ arena_get(ar_ptr, bytes + alignment + MINSIZE);
+ if(!ar_ptr)
+ return 0;
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-pvalloc.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-pvalloc.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-pvalloc.diff 2013-09-13 18:10:20 UTC (rev 5694)
@@ -0,0 +1,36 @@
+commit 1159a193696ad48ec86e5895f6dee3e539619c0e
+Author: Will Newton <will.newton@linaro.org>
+Date: Mon Aug 12 15:08:02 2013 +0100
+
+ malloc: Check for integer overflow in pvalloc.
+
+ A large bytes parameter to pvalloc could cause an integer overflow
+ and corrupt allocator internals. Check the overflow does not occur
+ before continuing with the allocation.
+
+ ChangeLog:
+
+ 2013-09-11 Will Newton <will.newton@linaro.org>
+
+ [BZ #15855]
+ * malloc/malloc.c (__libc_pvalloc): Check the value of bytes
+ does not overflow.
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index dd295f5..7f43ba3 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
+ size_t page_mask = GLRO(dl_pagesize) - 1;
+ size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ const __malloc_ptr_t)) =
+ force_reg (__memalign_hook);
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-valloc.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-valloc.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4332-valloc.diff 2013-09-13 18:10:20 UTC (rev 5694)
@@ -0,0 +1,36 @@
+commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331
+Author: Will Newton <will.newton@linaro.org>
+Date: Fri Aug 16 11:59:37 2013 +0100
+
+ malloc: Check for integer overflow in valloc.
+
+ A large bytes parameter to valloc could cause an integer overflow
+ and corrupt allocator internals. Check the overflow does not occur
+ before continuing with the allocation.
+
+ ChangeLog:
+
+ 2013-09-11 Will Newton <will.newton@linaro.org>
+
+ [BZ #15856]
+ * malloc/malloc.c (__libc_valloc): Check the value of bytes
+ does not overflow.
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 7f43ba3..3148c5f 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
+
+ size_t pagesz = GLRO(dl_pagesize);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
+ const __malloc_ptr_t)) =
+ force_reg (__memalign_hook);
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2013-09-08 03:59:31 UTC (rev 5693)
+++ glibc-package/trunk/debian/patches/series 2013-09-13 18:10:20 UTC (rev 5694)
@@ -248,3 +248,6 @@
any/cvs-gethostbyname-numeric.diff
any/cvs-getaddrinfo-EAI_NONAME.diff
any/cvs-tst-cancel4-buf.diff
+any/cvs-CVE-2013-4332-memalign.diff
+any/cvs-CVE-2013-4332-pvalloc.diff
+any/cvs-CVE-2013-4332-valloc.diff
Reply to: