Bug#878159: marked as done (glibc: CVE-2018-6485: Integer overflow in posix_memalign)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 4 Sep 2021 23:59:04 +0200
with message-id <20210904215904.GL19695@aurel32.net>
and subject line Re: fixed 878159 in 2.26.9000+20180127.7e23a7dd-0experimental0
has caused the Debian Bug report #878159,
regarding glibc: CVE-2018-6485: Integer overflow in posix_memalign
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
878159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878159
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: libc6: posix_memalign(): free(): invalid next size (fast)
• From: Jakub Wilk <jwilk@jwilk.net>
• Date: Tue, 10 Oct 2017 17:17:11 +0200
• Message-id: <20171010151711.rqpfs5duacjsg2ey@jwilk.net>

Package: libc6
Version: 2.24-17

Some posix_memalign() calls fail catastrophically:

  $ grep memalign test-posix-memalign.c
       return posix_memalign(&p, 0x10, SIZE_MAX - 0x20);

  $ make test-posix-memalign
  cc     test-posix-memalign.c   -o test-posix-memalign

  $ ./test-posix-memalign
  *** Error in `./test-posix-memalign': free(): invalid next size (fast): 0x57a96008 ***
  ...

Backtrace:

#0  0xf7fd7dc9 in __kernel_vsyscall ()
#1  0xf7e2add0 in __libc_signal_restore_set (set=0xffffd160) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79
#2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3  0xf7e2c297 in __GI_abort () at abort.c:89
#4  0xf7e6638f in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:175
#5  0xf7e6cfc7 in malloc_printerr (action=<optimized out>, str=0xf7f60318 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=0xf7fb2780 <main_arena>) at malloc.c:5049
#6  0xf7e6d806 in _int_free (av=av@entry=0xf7fb2780 <main_arena>, p=p@entry=0x56558000, have_lock=have_lock@entry=1) at malloc.c:3905
#7  0xf7e6f8c3 in _int_memalign (av=av@entry=0xf7fb2780 <main_arena>, alignment=alignment@entry=16, bytes=bytes@entry=4294967263) at malloc.c:4497
#8  0xf7e70eea in _mid_memalign (alignment=16, bytes=4294967263, address=<optimized out>) at malloc.c:3158
#9  0xf7e71028 in _mid_memalign (alignment=alignment@entry=16, bytes=bytes@entry=4294967263, address=<optimized out>) at malloc.c:3121
#10 0xf7e72b7f in __posix_memalign (memptr=0xffffd6ac, alignment=16, size=4294967263) at malloc.c:5071
#11 0x5655556b in main ()


-- System Information:
Architecture: i386

Versions of packages libc6 depends on:
ii  libgcc1  1:7.2.0-8


--
Jakub Wilk

--- End Message ---

--- Begin Message ---

• To: 878159-done@bugs.debian.org
• Subject: Re: fixed 878159 in 2.26.9000+20180127.7e23a7dd-0experimental0
• From: Aurelien Jarno <aurelien@aurel32.net>
• Date: Sat, 4 Sep 2021 23:59:04 +0200
• Message-id: <20210904215904.GL19695@aurel32.net>
• In-reply-to: <1517607326-2196-bts-carnil@debian.org>
• References: <1517607326-2196-bts-carnil@debian.org>

Version: glibc/2.26.9000+20180127.7e23a7dd-0experimental0

On 2018-02-02 22:35, Salvatore Bonaccorso wrote:
> fixed 878159 2.26.9000+20180127.7e23a7dd-0experimental0
> thanks

Closing the bug in addition of marking it fixed.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

--- End Message ---