glibc/malloc-tcache-check-overflow.patch

2017-11-30  Arjun Shankar  <arjun@redhat.com>

	[BZ #22375]
	CVE-2017-17426
	* malloc/malloc.c (__libc_malloc): Use checked_request2size
	instead of request2size.

Index: glibc-2.26/malloc/malloc.c
===================================================================
--- glibc-2.26.orig/malloc/malloc.c
+++ glibc-2.26/malloc/malloc.c
@@ -3052,7 +3052,8 @@ __libc_malloc (size_t bytes)
     return (*hook)(bytes, RETURN_ADDRESS (0));
 #if USE_TCACHE
   /* int_free also calls request2size, be careful to not pad twice.  */
-  size_t tbytes = request2size (bytes);
+  size_t tbytes;
+  checked_request2size (bytes, tbytes);
   size_t tc_idx = csize2tidx (tbytes);
 
   MAYBE_INIT_TCACHE ();
Accepting request 556907 from home:Andreas_Schwab:Factory - tst-tlsopt-powerpc.patch: fix tst-tlsopt-powerpc (bcn#1070419) - powerpc-hwcap-bits.patch: Update HWCAP for powerpc (bnc#1070420) - malloc-tcache-check-overflow.patch: Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, bnc#1071479, BZ #22375) OBS-URL: https://build.opensuse.org/request/show/556907 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=487 2017-12-14 11:12:57 +01:00			`2017-11-30 Arjun Shankar <arjun@redhat.com>`

			`[BZ #22375]`
			`CVE-2017-17426`
			`* malloc/malloc.c (__libc_malloc): Use checked_request2size`
			`instead of request2size.`

			`Index: glibc-2.26/malloc/malloc.c`
			`===================================================================`
			`--- glibc-2.26.orig/malloc/malloc.c`
			`+++ glibc-2.26/malloc/malloc.c`
			`@@ -3052,7 +3052,8 @@ __libc_malloc (size_t bytes)`
			`return (*hook)(bytes, RETURN_ADDRESS (0));`
			`#if USE_TCACHE`
			`/* int_free also calls request2size, be careful to not pad twice. */`
			`- size_t tbytes = request2size (bytes);`
			`+ size_t tbytes;`
			`+ checked_request2size (bytes, tbytes);`
			`size_t tc_idx = csize2tidx (tbytes);`

			`MAYBE_INIT_TCACHE ();`