r5860 - in glibc-package/branches/eglibc-2.18/debian: . patches patches/any

To: debian-glibc@lists.debian.org
Subject: r5860 - in glibc-package/branches/eglibc-2.18/debian: . patches patches/any
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Tue, 3 Dec 2013 20:20:00 +0000
Message-id: <[🔎] E1VnwRt-0007Cb-12@moszumanska.debian.org>

Author: aurel32
Date: 2013-12-03 20:20:00 +0000 (Tue, 03 Dec 2013)
New Revision: 5860

Added:
   glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff
Modified:
   glibc-package/branches/eglibc-2.18/debian/changelog
   glibc-package/branches/eglibc-2.18/debian/patches/series
Log:
patches/any/cvs-CVE-2013-4332-memalign-2.diff: patch from upstream to
address some remaining issues from CVE-2013-4332.



Modified: glibc-package/branches/eglibc-2.18/debian/changelog
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/changelog	2013-12-03 16:33:01 UTC (rev 5859)
+++ glibc-package/branches/eglibc-2.18/debian/changelog	2013-12-03 20:20:00 UTC (rev 5860)
@@ -179,6 +179,8 @@
     included in -O2.
   * Replace patches/any/submitted-findlocale-div-by-zero.diff by upstream
     version patches/any/cvs-findlocale-div-by-zero.diff.
+  * patches/any/cvs-CVE-2013-4332-memalign-2.diff: patch from upstream to
+    address some remaining issues from CVE-2013-4332.
 
  -- Adam Conrad <adconrad@ubuntu.com>  Sat, 09 Nov 2013 12:48:20 +0100
 

Added: glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff	                        (rev 0)
+++ glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4332-memalign-2.diff	2013-12-03 20:20:00 UTC (rev 5860)
@@ -0,0 +1,70 @@
+2013-10-30  Will Newton  <will.newton@linaro.org>
+
+	[BZ #16038]
+	* malloc/hooks.c (memalign_check): Limit alignment to the
+	maximum representable power of two.
+	* malloc/malloc.c (__libc_memalign): Likewise.
+
+2013-10-10  Will Newton  <will.newton@linaro.org>
+
+	* malloc/hooks.c (memalign_check): Ensure the value of bytes
+	passed to _int_memalign does not overflow.
+
+--- a/malloc/hooks.c
++++ b/malloc/hooks.c
+@@ -361,10 +361,13 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
+   if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
+-  if (bytes+1 == 0) {
+-    __set_errno (ENOMEM);
+-    return NULL;
+-  }
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - alignment - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   (void)mutex_lock(&main_arena.mutex);
+   mem = (top_check() >= 0) ? _int_memalign(&main_arena, alignment, bytes+1) :
+     NULL;
+ 2013-10-30  Ondřej Bílka  <neleai@seznam.cz>
+ 
+ 	[BZ #11087]
+--- a/malloc/hooks.c
++++ b/malloc/hooks.c
+@@ -361,6 +361,14 @@ memalign_check(size_t alignment, size_t bytes, const void *caller)
+   if (alignment <= MALLOC_ALIGNMENT) return malloc_check(bytes, NULL);
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
++  /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
++     power of 2 and will cause overflow in the check below.  */
++  if (alignment > SIZE_MAX / 2 + 1)
++    {
++      __set_errno (EINVAL);
++      return 0;
++    }
++
+   /* Check for overflow.  */
+   if (bytes > SIZE_MAX - alignment - MINSIZE)
+     {
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3016,6 +3016,14 @@ __libc_memalign(size_t alignment, size_t bytes)
+   /* Otherwise, ensure that it is at least a minimum chunk size */
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
++  /* If the alignment is greater than SIZE_MAX / 2 + 1 it cannot be a
++     power of 2 and will cause overflow in the check below.  */
++  if (alignment > SIZE_MAX / 2 + 1)
++    {
++      __set_errno (EINVAL);
++      return 0;
++    }
++
+   /* Check for overflow.  */
+   if (bytes > SIZE_MAX - alignment - MINSIZE)
+     {
+

Modified: glibc-package/branches/eglibc-2.18/debian/patches/series
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/patches/series	2013-12-03 16:33:01 UTC (rev 5859)
+++ glibc-package/branches/eglibc-2.18/debian/patches/series	2013-12-03 20:20:00 UTC (rev 5860)
@@ -243,6 +243,7 @@
 any/cvs-tst-tls-atexit-deps.diff
 any/cvs-tst-cleanup2-ret.diff
 any/cvs-CVE-2013-4332-memalign.diff
+any/cvs-CVE-2013-4332-memalign-2.diff
 any/cvs-CVE-2013-4332-pvalloc.diff
 any/cvs-CVE-2013-4332-valloc.diff
 any/cvs-CVE-2012-44xx.diff

Reply to:

Prev by Date: r5859 - glibc-package/branches/glibc-branch-wheezy/debian
Next by Date: r5861 - glibc-package/branches/eglibc-2.18/debian/patches/any
Previous by thread: r5859 - glibc-package/branches/glibc-branch-wheezy/debian
Next by thread: r5861 - glibc-package/branches/eglibc-2.18/debian/patches/any
Index(es):
- Date
- Thread