From fdc1d1569d9d9ecc508d96184ed3a474f5af53c54334bf4eebf6775aaeef1abc Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Thu, 12 Sep 2013 14:47:52 +0000 Subject: [PATCH] Accepting request 198716 from home:Andreas_Schwab:Factory - malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332, bnc#839870) OBS-URL: https://build.opensuse.org/request/show/198716 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=309 --- glibc-testsuite.changes | 6 +++++ glibc-testsuite.spec | 3 +++ glibc-utils.changes | 6 +++++ glibc-utils.spec | 3 +++ glibc.changes | 6 +++++ glibc.spec | 3 +++ malloc-overflows.patch | 60 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 87 insertions(+) create mode 100644 malloc-overflows.patch diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes index 58106bc..9f97669 100644 --- a/glibc-testsuite.changes +++ b/glibc-testsuite.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de + +- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332, + bnc#839870) + ------------------------------------------------------------------- Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec index 42ee5a9..3c95b08 100644 --- a/glibc-testsuite.spec +++ b/glibc-testsuite.spec @@ -242,6 +242,8 @@ Patch306: glibc-fix-double-loopback.diff ### # PATCH-FIX-UPSTREAM Add O_TMPFILE to Patch1000: fcntl-o-tmpfile.patch +# PATCH-FIX-UPSTREAM Integer overflows in malloc +Patch1001: malloc-overflows.patch ### # Patches awaiting upstream approval @@ -465,6 +467,7 @@ rm nscd/s-stamp %patch306 -p1 %patch1000 -p1 +%patch1001 -p1 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 # %patch2008 -p1 diff --git a/glibc-utils.changes b/glibc-utils.changes index 58106bc..9f97669 100644 --- a/glibc-utils.changes +++ b/glibc-utils.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de + +- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332, + bnc#839870) + ------------------------------------------------------------------- Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de diff --git a/glibc-utils.spec b/glibc-utils.spec index 2dc9819..63cfc1c 100644 --- a/glibc-utils.spec +++ b/glibc-utils.spec @@ -241,6 +241,8 @@ Patch306: glibc-fix-double-loopback.diff ### # PATCH-FIX-UPSTREAM Add O_TMPFILE to Patch1000: fcntl-o-tmpfile.patch +# PATCH-FIX-UPSTREAM Integer overflows in malloc +Patch1001: malloc-overflows.patch ### # Patches awaiting upstream approval @@ -465,6 +467,7 @@ rm nscd/s-stamp %patch306 -p1 %patch1000 -p1 +%patch1001 -p1 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 # %patch2008 -p1 diff --git a/glibc.changes b/glibc.changes index 58106bc..9f97669 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 12 13:42:23 UTC 2013 - schwab@suse.de + +- malloc-overflows.patch: Fix integer overflows in malloc (CVE-2013-4332, + bnc#839870) + ------------------------------------------------------------------- Wed Sep 11 10:11:56 UTC 2013 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index f2fbbb0..54dbb02 100644 --- a/glibc.spec +++ b/glibc.spec @@ -242,6 +242,8 @@ Patch306: glibc-fix-double-loopback.diff ### # PATCH-FIX-UPSTREAM Add O_TMPFILE to Patch1000: fcntl-o-tmpfile.patch +# PATCH-FIX-UPSTREAM Integer overflows in malloc +Patch1001: malloc-overflows.patch ### # Patches awaiting upstream approval @@ -465,6 +467,7 @@ rm nscd/s-stamp %patch306 -p1 %patch1000 -p1 +%patch1001 -p1 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 # %patch2008 -p1 diff --git a/malloc-overflows.patch b/malloc-overflows.patch new file mode 100644 index 0000000..15f2369 --- /dev/null +++ b/malloc-overflows.patch @@ -0,0 +1,60 @@ +2013-09-11 Will Newton + + [BZ #15857] + * malloc/malloc.c (__libc_memalign): Check the value of bytes + does not overflow. + + [BZ #15856] + * malloc/malloc.c (__libc_valloc): Check the value of bytes + does not overflow. + + [BZ #15855] + * malloc/malloc.c (__libc_pvalloc): Check the value of bytes + does not overflow. + +Index: glibc-2.18/malloc/malloc.c +=================================================================== +--- glibc-2.18.orig/malloc/malloc.c ++++ glibc-2.18/malloc/malloc.c +@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t + /* Otherwise, ensure that it is at least a minimum chunk size */ + if (alignment < MINSIZE) alignment = MINSIZE; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + arena_get(ar_ptr, bytes + alignment + MINSIZE); + if(!ar_ptr) + return 0; +@@ -3046,6 +3053,13 @@ __libc_valloc(size_t bytes) + + size_t pagesz = GLRO(dl_pagesize); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + void *(*hook) (size_t, size_t, const void *) = + force_reg (__memalign_hook); + if (__builtin_expect (hook != NULL, 0)) +@@ -3082,6 +3096,13 @@ __libc_pvalloc(size_t bytes) + size_t page_mask = GLRO(dl_pagesize) - 1; + size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + void *(*hook) (size_t, size_t, const void *) = + force_reg (__memalign_hook); + if (__builtin_expect (hook != NULL, 0))