diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2017-17426.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch deleted file mode 100644 index bfa58bc1d6..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001 -From: Arjun Shankar <arjun@redhat.com> -Date: Thu, 30 Nov 2017 13:31:45 +0100 -Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ - #22375] - -When the per-thread cache is enabled, __libc_malloc uses request2size (which -does not perform an overflow check) to calculate the chunk size from the -requested allocation size. This leads to an integer overflow causing malloc -to incorrectly return the last successfully allocated block when called with -a very large size argument (close to SIZE_MAX). - -This commit uses checked_request2size instead, removing the overflow. - -Upstream-Status: Backport -CVE: CVE-2017-17426 -Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> -Rebase on new master -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 6 ++++++ - malloc/malloc.c | 3 ++- - 2 files changed, 8 insertions(+), 1 deletion(-) - -Index: git/malloc/malloc.c -=================================================================== ---- git.orig/malloc/malloc.c -+++ git/malloc/malloc.c -@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes) - return (*hook)(bytes, RETURN_ADDRESS (0)); - #if USE_TCACHE - /* int_free also calls request2size, be careful to not pad twice. */ -- size_t tbytes = request2size (bytes); -+ size_t tbytes; -+ checked_request2size (bytes, tbytes); - size_t tc_idx = csize2tidx (tbytes); - - MAYBE_INIT_TCACHE (); -Index: git/ChangeLog -=================================================================== ---- git.orig/ChangeLog -+++ git/ChangeLog -@@ -1,3 +1,9 @@ -+2017-11-30 Arjun Shankar <arjun@redhat.com> -+ -+ [BZ #22375] -+ * malloc/malloc.c (__libc_malloc): Use checked_request2size -+ instead of request2size. -+ - 2017-12-30 Aurelien Jarno <aurelien@aurel32.net> - Dmitry V. Levin <ldv@altlinux.org> - |