Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
glibc.i686.16578
memalign-overflow.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File memalign-overflow.patch of Package glibc.i686.16578
2018-01-18 Arjun Shankar <arjun@redhat.com> [BZ #22343] [BZ #22774] CVE-2018-6485 CVE-2018-6551 * malloc/malloc.c (checked_request2size): call REQUEST_OUT_OF_RANGE after padding. (_int_memalign): check for integer overflow before calling _int_malloc. Index: glibc-2.22/malloc/malloc.c =================================================================== --- glibc-2.22.orig/malloc/malloc.c +++ glibc-2.22/malloc/malloc.c @@ -1252,14 +1252,21 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+- MINSIZE : \ ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK) -/* Same, except also perform argument check */ - -#define checked_request2size(req, sz) \ - if (REQUEST_OUT_OF_RANGE (req)) { \ - __set_errno (ENOMEM); \ - return 0; \ - } \ - (sz) = request2size (req); +/* Same, except also perform an argument and result check. First, we check + that the padding done by request2size didn't result in an integer + overflow. Then we check (using REQUEST_OUT_OF_RANGE) that the resulting + size isn't so large that a later alignment would lead to another integer + overflow. */ +#define checked_request2size(req, sz) \ +({ \ + (sz) = request2size (req); \ + if (((sz) < (req)) \ + || REQUEST_OUT_OF_RANGE (sz)) \ + { \ + __set_errno (ENOMEM); \ + return 0; \ + } \ +}) /* --------------- Physical chunk operations --------------- @@ -4417,6 +4424,13 @@ _int_memalign (mstate av, size_t alignme */ + /* Check for overflow. */ + if (nb > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + /* Call malloc with worst case padding to hit alignment. */ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor