SHA256
2
0

Accepting request 130342 from home:uli_suse:branches:devel:libraries:c_c++

- fix for malloc()/calloc() overflows (CVE-2012-2673, bnc#765444)

OBS-URL: https://build.opensuse.org/request/show/130342
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/gc?expand=0&rev=18
This commit is contained in:
Ismail Dönmez 2012-08-07 19:22:16 +00:00 committed by Git OBS Bridge
parent 95a9207e33
commit 1d2596af6f
6 changed files with 161 additions and 1 deletions

View File

@ -0,0 +1,40 @@
From be9df82919960214ee4b9d3313523bff44fd99e1 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Thu, 15 Mar 2012 04:55:08 +0800
Subject: [PATCH] Fix allocation size overflows due to rounding.
* malloc.c (GC_generic_malloc): Check if the allocation size is
rounded to a smaller value.
* mallocx.c (GC_generic_malloc_ignore_off_page): Likewise.
---
malloc.c | 2 ++
mallocx.c | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/malloc.c b/malloc.c
index cc0cc00..899d6ff 100644
--- a/malloc.c
+++ b/malloc.c
@@ -169,6 +169,8 @@ GC_API void * GC_CALL GC_generic_malloc(size_t lb, int k)
GC_bool init;
lg = ROUNDED_UP_GRANULES(lb);
lb_rounded = GRANULES_TO_BYTES(lg);
+ if (lb_rounded < lb)
+ return((*GC_get_oom_fn())(lb));
n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded);
init = GC_obj_kinds[k].ok_init;
LOCK();
diff --git a/mallocx.c b/mallocx.c
index 2c79f41..0d9c0a6 100644
--- a/mallocx.c
+++ b/mallocx.c
@@ -183,4 +183,6 @@ GC_INNER void * GC_generic_malloc_ignore_off_page(size_t lb, int k)
lg = ROUNDED_UP_GRANULES(lb);
lb_rounded = GRANULES_TO_BYTES(lg);
+ if (lb_rounded < lb)
+ return((*GC_get_oom_fn())(lb));
n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded);
init = GC_obj_kinds[k].ok_init;
--
1.7.7

View File

@ -0,0 +1,32 @@
From e10c1eb9908c2774c16b3148b30d2f3823d66a9a Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Thu, 15 Mar 2012 04:46:49 +0800
Subject: [PATCH] Fix calloc() overflow
* malloc.c (calloc): Check multiplication overflow in calloc(),
assuming REDIRECT_MALLOC.
---
malloc.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/malloc.c b/malloc.c
index da68f13..cc0cc00 100644
--- a/malloc.c
+++ b/malloc.c
@@ -372,8 +372,13 @@ void * malloc(size_t lb)
}
#endif /* GC_LINUX_THREADS */
+#ifndef SIZE_MAX
+#define SIZE_MAX (~(size_t)0)
+#endif
void * calloc(size_t n, size_t lb)
{
+ if (lb && n > SIZE_MAX / lb)
+ return NULL;
# if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
/* libpthread allocated some memory that is only pointed to by */
/* mmapped thread stacks. Make sure it's not collectable. */
--
1.7.7

View File

@ -0,0 +1,39 @@
From 6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 Mon Sep 17 00:00:00 2001
From: Ivan Maidanski <ivmai@mail.ru>
Date: Thu, 15 Mar 2012 20:30:11 +0400
Subject: [PATCH] Fix calloc-related code to prevent SIZE_MAX redefinition in
sys headers
* malloc.c: Include limits.h for SIZE_MAX.
* malloc.c (SIZE_MAX, calloc): Define GC_SIZE_MAX instead of SIZE_MAX.
---
malloc.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/malloc.c b/malloc.c
index 899d6ff..cb49a5c 100644
--- a/malloc.c
+++ b/malloc.c
@@ -374,12 +374,16 @@ void * malloc(size_t lb)
}
#endif /* GC_LINUX_THREADS */
-#ifndef SIZE_MAX
-#define SIZE_MAX (~(size_t)0)
+#include <limits.h>
+#ifdef SIZE_MAX
+# define GC_SIZE_MAX SIZE_MAX
+#else
+# define GC_SIZE_MAX (~(size_t)0)
#endif
+
void * calloc(size_t n, size_t lb)
{
- if (lb && n > SIZE_MAX / lb)
+ if (lb && n > GC_SIZE_MAX / lb)
return NULL;
# if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
/* libpthread allocated some memory that is only pointed to by */
--
1.7.7

View File

@ -0,0 +1,34 @@
From 83231d0ab5ed60015797c3d1ad9056295ac3b2bb Mon Sep 17 00:00:00 2001
From: Hans Boehm <Hans.Boehm@hp.com>
Date: Thu, 15 Mar 2012 21:09:05 +0400
Subject: [PATCH] Speedup calloc size overflow check by preventing division if
small values
* malloc.c (GC_SQRT_SIZE_MAX): New macro.
* malloc.c (calloc): Add fast initial size overflow check to avoid
integer division for reasonably small values passed.
---
malloc.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/malloc.c b/malloc.c
index cb49a5c..c9b9eb6 100644
--- a/malloc.c
+++ b/malloc.c
@@ -381,9 +381,12 @@ void * malloc(size_t lb)
# define GC_SIZE_MAX (~(size_t)0)
#endif
+#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1)
+
void * calloc(size_t n, size_t lb)
{
- if (lb && n > GC_SIZE_MAX / lb)
+ if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */
+ && lb && n > GC_SIZE_MAX / lb)
return NULL;
# if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
/* libpthread allocated some memory that is only pointed to by */
--
1.7.7

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Tue Aug 7 15:23:30 UTC 2012 - uli@suse.com
- fix for malloc()/calloc() overflows (CVE-2012-2673, bnc#765444)
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Feb 11 08:55:11 UTC 2012 - coolo@suse.com Sat Feb 11 08:55:11 UTC 2012 - coolo@suse.com

12
gc.spec
View File

@ -26,6 +26,11 @@ License: BSD-3-Clause
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Source: %{name}-%{src_ver}.tar.bz2 Source: %{name}-%{src_ver}.tar.bz2
Patch0: %{name}-build.patch Patch0: %{name}-build.patch
Patch1: 0001-Fix-allocation-size-overflows-due-to-rounding.patch
Patch2: 0001-Fix-calloc-overflow.patch
Patch3: 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch
Patch4: 0001-Speedup-calloc-size-overflow-check-by-preventing-div.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libtool BuildRequires: libtool
@ -60,7 +65,8 @@ be otherwise accessed.
Summary: A garbage collector for C and C++ Summary: A garbage collector for C and C++
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Provides: gc:/usr/include/gc/gc.h Provides: gc:/usr/include/gc/gc.h
Requires: libgc1 = %version, glibc-devel Requires: glibc-devel
Requires: libgc1 = %version
%description devel %description devel
The Boehm-Demers-Weiser conservative garbage collector can be used as a The Boehm-Demers-Weiser conservative garbage collector can be used as a
@ -87,6 +93,10 @@ that involves minimum overhead across a variety of architectures.
%prep %prep
%setup -q -n %{name}-%{src_ver} %setup -q -n %{name}-%{src_ver}
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build %build
# refresh auto*/libtool to purge rpaths # refresh auto*/libtool to purge rpaths