aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorHuang Qiyu <huangqy.fnst@cn.fujitsu.com>2018-01-21 16:13:06 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-01-22 23:25:47 +0000
commita273d099c3bc73736579b7b6ead2572721f16d2a (patch)
treedb5c8233e63a83ad40e938ce64a5b82dae0609c7 /meta/recipes-core
parentf65acd6f8ef7172d75863ee091a3fbbaa57c0f3f (diff)
downloadopenembedded-core-contrib-a273d099c3bc73736579b7b6ead2572721f16d2a.tar.gz
glibc: Security Fix CVE-2017-17426
Affects glibc < 2.27 including current master hash 77f921dac17c5fa99bd9e926d926c327982895f7 Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> [v2] Rebased on new master [v3] Fix typo in patch status Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2017-17426.patch53
-rw-r--r--meta/recipes-core/glibc/glibc_2.26.bb1
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
new file mode 100644
index 0000000000..bfa58bc1d6
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
@@ -0,0 +1,53 @@
+From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Thu, 30 Nov 2017 13:31:45 +0100
+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
+ #22375]
+
+When the per-thread cache is enabled, __libc_malloc uses request2size (which
+does not perform an overflow check) to calculate the chunk size from the
+requested allocation size. This leads to an integer overflow causing malloc
+to incorrectly return the last successfully allocated block when called with
+a very large size argument (close to SIZE_MAX).
+
+This commit uses checked_request2size instead, removing the overflow.
+
+Upstream-Status: Backport
+CVE: CVE-2017-17426
+Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
+Rebase on new master
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 6 ++++++
+ malloc/malloc.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+Index: git/malloc/malloc.c
+===================================================================
+--- git.orig/malloc/malloc.c
++++ git/malloc/malloc.c
+@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
+ return (*hook)(bytes, RETURN_ADDRESS (0));
+ #if USE_TCACHE
+ /* int_free also calls request2size, be careful to not pad twice. */
+- size_t tbytes = request2size (bytes);
++ size_t tbytes;
++ checked_request2size (bytes, tbytes);
+ size_t tc_idx = csize2tidx (tbytes);
+
+ MAYBE_INIT_TCACHE ();
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,9 @@
++2017-11-30 Arjun Shankar <arjun@redhat.com>
++
++ [BZ #22375]
++ * malloc/malloc.c (__libc_malloc): Use checked_request2size
++ instead of request2size.
++
+ 2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
+ Dmitry V. Levin <ldv@altlinux.org>
+
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 456ce12d76..ff3197bb23 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
file://CVE-2017-15671.patch \
file://CVE-2017-16997.patch \
+ file://CVE-2017-17426.patch \
"
NATIVESDKFIXES ?= ""