[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch:
This is an automated email from the git hooks/post-receive script.
aurel32 pushed a commit to branch glibc-2.26
in repository glibc.
commit 3f27ba0ba9c424224bed42a2d6a271bbb4a2b9e0
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Thu Dec 7 00:14:32 2017 +0100
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix malloc returning pointer from tcache_get when it should returns
NULL (CVE-2017-17426). Closes: #883729.
---
debian/changelog | 4 +-
debian/patches/git-updates.diff | 114 ++++++++++++++++++++++++++++------------
2 files changed, 82 insertions(+), 36 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a3376be..765b1c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,7 +3,9 @@ glibc (2.26-0experimental2) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
* debian/testsuite-xfail-debian.mk: move double-lround XFAILs from mips64el
to mipsel.
- * debian/patches/git-updates.diff: update from upstream stable branch.
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fix malloc returning pointer from tcache_get when it should returns
+ NULL (CVE-2017-17426). Closes: #883729.
* debian/control.in/libc: add a Breaks: libperl5.26 (<< 5.26.1-3) to
@libc@-dev to handle the xlocale.h removal. Closes: #883392.
* debian/control.in/main: point the Vcs-Git field to the glibc-2.26 branch
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 9b652ee..1d7d929 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,23 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.26/master from glibc-2.26
diff --git a/ChangeLog b/ChangeLog
-index 8dbfc7eaff..fab886ab01 100644
+index 8dbfc7eaff..42224c0a2f 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,987 @@
+@@ -1,3 +1,1000 @@
++2017-10-15 H.J. Lu <hongjiu.lu@intel.com>
++
++ [BZ #22052]
++ * malloc/hooks.c (realloc_check): Use DIAG_IGNORE_NEEDS_COMMENT
++ to silence -O3 -Wall warning with GCC 7.
++
++2017-11-30 Arjun Shankar <arjun@redhat.com>
++
++ [BZ #22375]
++ CVE-2017-17426
++ * malloc/malloc.c (__libc_malloc): Use checked_request2size
++ instead of request2size.
++
+2017-11-02 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #22332]
@@ -1016,10 +1029,10 @@ index 9bb707c168..828a445f24 100644
# Don't try to use -lc when making libc.so itself.
# Also omits crti.o and crtn.o, which we do not want
diff --git a/NEWS b/NEWS
-index 8295f20c0a..61bffe0451 100644
+index 8295f20c0a..8810b57cd9 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,74 @@ See the end for copying conditions.
+@@ -5,6 +5,81 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
@@ -1057,6 +1070,11 @@ index 8295f20c0a..61bffe0451 100644
+ without GLOB_NOESCAPE, could write past the end of a buffer while
+ unescaping user names. Reported by Tim Rühsen.
+
++ CVE-2017-17426: The malloc function, when called with an object size near
++ the value SIZE_MAX, would return a pointer to a buffer which is too small,
++ instead of NULL. This was a regression introduced with the new malloc
++ thread cache in glibc 2.26. Reported by Iain Buclaw.
++
+The following bugs are resolved with this release:
+
+ [16750] ldd: Never run file directly.
@@ -1076,6 +1094,7 @@ index 8295f20c0a..61bffe0451 100644
+ occur with -O3
+ [21987] Fix sparc32 bits/long-double.h
+ [22051] libc: zero terminator in the middle of glibc's .eh_frame
++ [22052] malloc failed to compile with GCC 7 and -O3
+ [22078] nss_files performance issue in hosts multi mode
+ [22093] x86: Add x86_64 to x86-64 HWCAP
+ [22095] resolv: Fix memory leak with OOM during resolv.conf parsing
@@ -1090,6 +1109,7 @@ index 8295f20c0a..61bffe0451 100644
+ [22321] sysconf: Fix missing definition of UIO_MAXIOV on Linux
+ [22322] libc: [mips64] wrong bits/long-double.h installed
+ [22325] glibc: Memory leak in glob with GLOB_TILDE (CVE-2017-15671)
++ [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
+
Version 2.26
@@ -1608,7 +1628,7 @@ index e6dc9fbc68..63c981bf61 100644
if (list->array == scratch)
{
diff --git a/malloc/hooks.c b/malloc/hooks.c
-index 1d80be20d2..4398c0a017 100644
+index 1d80be20d2..2c6cebc889 100644
--- a/malloc/hooks.c
+++ b/malloc/hooks.c
@@ -121,12 +121,7 @@ malloc_check_get_size (mchunkptr p)
@@ -1731,7 +1751,7 @@ index 1d80be20d2..4398c0a017 100644
if (newmem)
{
memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ);
-@@ -386,12 +341,10 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
+@@ -386,19 +341,24 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
}
else
{
@@ -1747,8 +1767,22 @@ index 1d80be20d2..4398c0a017 100644
+ newmem = _int_realloc (&main_arena, oldp, oldsize, nb);
}
++ DIAG_PUSH_NEEDS_COMMENT;
++#if __GNUC_PREREQ (7, 0)
++ /* GCC 7 warns about magic_p may be used uninitialized. But we never
++ reach here if magic_p is uninitialized. */
++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Wmaybe-uninitialized");
++#endif
/* mem2chunk_check changed the magic byte in the old chunk.
-@@ -441,8 +394,8 @@ memalign_check (size_t alignment, size_t bytes, const void *caller)
+ If newmem is NULL, then the old chunk will still be used though,
+ so we need to invert that change here. */
+ if (newmem == NULL)
+ *magic_p ^= 0xFF;
++ DIAG_POP_NEEDS_COMMENT;
+
+ __libc_lock_unlock (main_arena.mutex);
+
+@@ -441,8 +401,8 @@ memalign_check (size_t alignment, size_t bytes, const void *caller)
}
__libc_lock_lock (main_arena.mutex);
@@ -1760,7 +1794,7 @@ index 1d80be20d2..4398c0a017 100644
return mem2mem_check (mem, bytes);
}
diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 54e406bcb6..7783d05651 100644
+index 54e406bcb6..6a52c288de 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -243,6 +243,9 @@
@@ -2025,7 +2059,17 @@ index 54e406bcb6..7783d05651 100644
}
text_set_element (__libc_thread_subfreeres, tcache_thread_freeres);
-@@ -3066,6 +3045,14 @@ __libc_malloc (size_t bytes)
+@@ -3050,7 +3029,8 @@ __libc_malloc (size_t bytes)
+ return (*hook)(bytes, RETURN_ADDRESS (0));
+ #if USE_TCACHE
+ /* int_free also calls request2size, be careful to not pad twice. */
+- size_t tbytes = request2size (bytes);
++ size_t tbytes;
++ checked_request2size (bytes, tbytes);
+ size_t tc_idx = csize2tidx (tbytes);
+
+ MAYBE_INIT_TCACHE ();
+@@ -3066,6 +3046,14 @@ __libc_malloc (size_t bytes)
DIAG_POP_NEEDS_COMMENT;
#endif
@@ -2040,7 +2084,7 @@ index 54e406bcb6..7783d05651 100644
arena_get (ar_ptr, bytes);
victim = _int_malloc (ar_ptr, bytes);
-@@ -3177,11 +3164,7 @@ __libc_realloc (void *oldmem, size_t bytes)
+@@ -3177,11 +3165,7 @@ __libc_realloc (void *oldmem, size_t bytes)
if ((__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0)
|| __builtin_expect (misaligned_chunk (oldp), 0))
&& !DUMPED_MAIN_ARENA_CHUNK (oldp))
@@ -2053,7 +2097,7 @@ index 54e406bcb6..7783d05651 100644
checked_request2size (bytes, nb);
-@@ -3226,6 +3209,15 @@ __libc_realloc (void *oldmem, size_t bytes)
+@@ -3226,6 +3210,15 @@ __libc_realloc (void *oldmem, size_t bytes)
return newmem;
}
@@ -2069,7 +2113,7 @@ index 54e406bcb6..7783d05651 100644
__libc_lock_lock (ar_ptr->mutex);
newp = _int_realloc (ar_ptr, oldp, oldsize, nb);
-@@ -3301,6 +3293,15 @@ _mid_memalign (size_t alignment, size_t bytes, void *address)
+@@ -3301,6 +3294,15 @@ _mid_memalign (size_t alignment, size_t bytes, void *address)
alignment = a;
}
@@ -2085,7 +2129,7 @@ index 54e406bcb6..7783d05651 100644
arena_get (ar_ptr, bytes + alignment + MINSIZE);
p = _int_memalign (ar_ptr, alignment, bytes);
-@@ -3393,7 +3394,11 @@ __libc_calloc (size_t n, size_t elem_size)
+@@ -3393,7 +3395,11 @@ __libc_calloc (size_t n, size_t elem_size)
MAYBE_INIT_TCACHE ();
@@ -2098,7 +2142,7 @@ index 54e406bcb6..7783d05651 100644
if (av)
{
/* Check if we hand out the top chunk, in which case there may be no
-@@ -3423,19 +3428,21 @@ __libc_calloc (size_t n, size_t elem_size)
+@@ -3423,19 +3429,21 @@ __libc_calloc (size_t n, size_t elem_size)
}
mem = _int_malloc (av, sz);
@@ -2128,7 +2172,7 @@ index 54e406bcb6..7783d05651 100644
/* Allocation failed even after a retry. */
if (mem == 0)
-@@ -3527,8 +3534,6 @@ _int_malloc (mstate av, size_t bytes)
+@@ -3527,8 +3535,6 @@ _int_malloc (mstate av, size_t bytes)
size_t tcache_unsorted_count; /* count of unsorted chunks processed */
#endif
@@ -2137,7 +2181,7 @@ index 54e406bcb6..7783d05651 100644
/*
Convert request size to internal form by adding SIZE_SZ bytes
overhead plus possibly more to obtain necessary alignment and/or
-@@ -3570,42 +3575,50 @@ _int_malloc (mstate av, size_t bytes)
+@@ -3570,42 +3576,50 @@ _int_malloc (mstate av, size_t bytes)
{
idx = fastbin_index (nb);
mfastbinptr *fb = &fastbin (av, idx);
@@ -2218,7 +2262,7 @@ index 54e406bcb6..7783d05651 100644
}
/*
-@@ -3628,11 +3641,9 @@ _int_malloc (mstate av, size_t bytes)
+@@ -3628,11 +3642,9 @@ _int_malloc (mstate av, size_t bytes)
else
{
bck = victim->bk;
@@ -2233,7 +2277,7 @@ index 54e406bcb6..7783d05651 100644
set_inuse_bit_at_offset (victim, nb);
bin->bk = bck;
bck->fd = bin;
-@@ -3687,7 +3698,7 @@ _int_malloc (mstate av, size_t bytes)
+@@ -3687,7 +3699,7 @@ _int_malloc (mstate av, size_t bytes)
else
{
idx = largebin_index (nb);
@@ -2242,7 +2286,7 @@ index 54e406bcb6..7783d05651 100644
malloc_consolidate (av);
}
-@@ -3723,8 +3734,7 @@ _int_malloc (mstate av, size_t bytes)
+@@ -3723,8 +3735,7 @@ _int_malloc (mstate av, size_t bytes)
if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0)
|| __builtin_expect (chunksize_nomask (victim)
> av->system_mem, 0))
@@ -2252,7 +2296,7 @@ index 54e406bcb6..7783d05651 100644
size = chunksize (victim);
/*
-@@ -3929,11 +3939,8 @@ _int_malloc (mstate av, size_t bytes)
+@@ -3929,11 +3940,8 @@ _int_malloc (mstate av, size_t bytes)
have to perform a complete insert here. */
bck = unsorted_chunks (av);
fwd = bck->fd;
@@ -2266,7 +2310,7 @@ index 54e406bcb6..7783d05651 100644
remainder->bk = bck;
remainder->fd = fwd;
bck->fd = remainder;
-@@ -4036,11 +4043,8 @@ _int_malloc (mstate av, size_t bytes)
+@@ -4036,11 +4044,8 @@ _int_malloc (mstate av, size_t bytes)
have to perform a complete insert here. */
bck = unsorted_chunks (av);
fwd = bck->fd;
@@ -2280,7 +2324,7 @@ index 54e406bcb6..7783d05651 100644
remainder->bk = bck;
remainder->fd = fwd;
bck->fd = remainder;
-@@ -4102,7 +4106,7 @@ _int_malloc (mstate av, size_t bytes)
+@@ -4102,7 +4107,7 @@ _int_malloc (mstate av, size_t bytes)
/* When we are using atomic ops to free fast chunks we can get
here for all block sizes. */
@@ -2289,7 +2333,7 @@ index 54e406bcb6..7783d05651 100644
{
malloc_consolidate (av);
/* restore original bin index */
-@@ -4141,9 +4145,6 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4141,9 +4146,6 @@ _int_free (mstate av, mchunkptr p, int have_lock)
mchunkptr bck; /* misc temp for linking */
mchunkptr fwd; /* misc temp for linking */
@@ -2299,7 +2343,7 @@ index 54e406bcb6..7783d05651 100644
size = chunksize (p);
/* Little security check which won't hurt performance: the
-@@ -4152,21 +4153,11 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4152,21 +4154,11 @@ _int_free (mstate av, mchunkptr p, int have_lock)
here by accident or by "design" from some intruder. */
if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0)
|| __builtin_expect (misaligned_chunk (p), 0))
@@ -2323,7 +2367,7 @@ index 54e406bcb6..7783d05651 100644
check_inuse_chunk(av, p);
-@@ -4205,60 +4196,59 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4205,60 +4197,59 @@ _int_free (mstate av, mchunkptr p, int have_lock)
|| __builtin_expect (chunksize (chunk_at_offset (p, size))
>= av->system_mem, 0))
{
@@ -2421,7 +2465,7 @@ index 54e406bcb6..7783d05651 100644
}
/*
-@@ -4266,42 +4256,33 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4266,42 +4257,33 @@ _int_free (mstate av, mchunkptr p, int have_lock)
*/
else if (!chunk_is_mmapped(p)) {
@@ -2474,7 +2518,7 @@ index 54e406bcb6..7783d05651 100644
free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);
-@@ -4333,10 +4314,7 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4333,10 +4315,7 @@ _int_free (mstate av, mchunkptr p, int have_lock)
bck = unsorted_chunks(av);
fwd = bck->fd;
if (__glibc_unlikely (fwd->bk != bck))
@@ -2486,7 +2530,7 @@ index 54e406bcb6..7783d05651 100644
p->fd = fwd;
p->bk = bck;
if (!in_smallbin_range(size))
-@@ -4379,7 +4357,7 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4379,7 +4358,7 @@ _int_free (mstate av, mchunkptr p, int have_lock)
*/
if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD) {
@@ -2495,7 +2539,7 @@ index 54e406bcb6..7783d05651 100644
malloc_consolidate(av);
if (av == &main_arena) {
-@@ -4398,10 +4376,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
+@@ -4398,10 +4377,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
}
}
@@ -2507,7 +2551,7 @@ index 54e406bcb6..7783d05651 100644
}
/*
If the chunk was allocated via mmap, release via munmap().
-@@ -4450,7 +4426,7 @@ static void malloc_consolidate(mstate av)
+@@ -4450,7 +4427,7 @@ static void malloc_consolidate(mstate av)
*/
if (get_max_fast () != 0) {
@@ -2516,7 +2560,7 @@ index 54e406bcb6..7783d05651 100644
unsorted_bin = unsorted_chunks(av);
-@@ -4549,17 +4525,10 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
+@@ -4549,17 +4526,10 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
INTERNAL_SIZE_T* s; /* copy source */
INTERNAL_SIZE_T* d; /* copy destination */
@@ -2535,7 +2579,7 @@ index 54e406bcb6..7783d05651 100644
check_inuse_chunk (av, oldp);
-@@ -4570,10 +4539,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
+@@ -4570,10 +4540,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
INTERNAL_SIZE_T nextsize = chunksize (next);
if (__builtin_expect (chunksize_nomask (next) <= 2 * SIZE_SZ, 0)
|| __builtin_expect (nextsize >= av->system_mem, 0))
@@ -2547,7 +2591,7 @@ index 54e406bcb6..7783d05651 100644
if ((unsigned long) (oldsize) >= (unsigned long) (nb))
{
-@@ -4798,10 +4764,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+@@ -4798,10 +4765,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
static int
mtrim (mstate av, size_t pad)
{
@@ -2558,7 +2602,7 @@ index 54e406bcb6..7783d05651 100644
/* Ensure initialization/consolidation */
malloc_consolidate (av);
-@@ -5113,8 +5075,6 @@ static inline int
+@@ -5113,8 +5076,6 @@ static inline int
__always_inline
do_set_mallopt_check (int32_t value)
{
@@ -2567,7 +2611,7 @@ index 54e406bcb6..7783d05651 100644
return 1;
}
-@@ -5388,32 +5348,10 @@ libc_hidden_def (__libc_mallopt)
+@@ -5388,32 +5349,10 @@ libc_hidden_def (__libc_mallopt)
extern char **__libc_argv attribute_hidden;
static void
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: