1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun@redhat.com>
Date: Thu, 30 Nov 2017 13:31:45 +0100
Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
#22375]
When the per-thread cache is enabled, __libc_malloc uses request2size (which
does not perform an overflow check) to calculate the chunk size from the
requested allocation size. This leads to an integer overflow causing malloc
to incorrectly return the last successfully allocated block when called with
a very large size argument (close to SIZE_MAX).
This commit uses checked_request2size instead, removing the overflow.
(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6)
Upstream-Status: Backport
CVE: CVE-2017-17426
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
ChangeLog | 7 +++++++
NEWS | 6 ++++++
malloc/malloc.c | 3 ++-
3 files changed, 15 insertions(+), 1 deletion(-)
Index: git/NEWS
===================================================================
--- git.orig/NEWS
+++ git/NEWS
@@ -4,6 +4,8 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
+
+[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
�
Version 2.26
@@ -215,6 +217,11 @@ Security related changes:
for AT_SECURE or SUID binaries could be used to load libraries from the
current directory.
+ CVE-2017-17426: The malloc function, when called with an object size near
+ the value SIZE_MAX, would return a pointer to a buffer which is too small,
+ instead of NULL. This was a regression introduced with the new malloc
+ thread cache in glibc 2.26. Reported by Iain Buclaw.
+
The following bugs are resolved with this release:
[984] network: Respond to changed resolv.conf in gethostbyname
Index: git/malloc/malloc.c
===================================================================
--- git.orig/malloc/malloc.c
+++ git/malloc/malloc.c
@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
return (*hook)(bytes, RETURN_ADDRESS (0));
#if USE_TCACHE
/* int_free also calls request2size, be careful to not pad twice. */
- size_t tbytes = request2size (bytes);
+ size_t tbytes;
+ checked_request2size (bytes, tbytes);
size_t tc_idx = csize2tidx (tbytes);
MAYBE_INIT_TCACHE ();
Index: git/ChangeLog
===================================================================
--- git.orig/ChangeLog
+++ git/ChangeLog
@@ -1,3 +1,10 @@
+2017-11-30 Arjun Shankar <arjun@redhat.com>
+
+ [BZ #22375]
+ CVE-2017-17426
+ * malloc/malloc.c (__libc_malloc): Use checked_request2size
+ instead of request2size.
+
2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
Dmitry V. Levin <ldv@altlinux.org>
|
