From 050fecc47c84e1a052a6e33414fbcfeef1e59f7a Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sat, 20 Jan 2018 09:50:26 -0800 Subject: glibc: Security fix CVE-2017-17426 affects < 2.27 including current mastet git hash: 77f921dac17c5fa99bd9e926d926c327982895f7 Signed-off-by: Armin Kuster --- meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 80 ++++++++++++++++++++++ meta/recipes-core/glibc/glibc_2.26.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-17426.patch (limited to 'meta/recipes-core') diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch new file mode 100644 index 0000000000..c7d1cb86df --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch @@ -0,0 +1,80 @@ +From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Thu, 30 Nov 2017 13:31:45 +0100 +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ + #22375] + +When the per-thread cache is enabled, __libc_malloc uses request2size (which +does not perform an overflow check) to calculate the chunk size from the +requested allocation size. This leads to an integer overflow causing malloc +to incorrectly return the last successfully allocated block when called with +a very large size argument (close to SIZE_MAX). + +This commit uses checked_request2size instead, removing the overflow. + +(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6) + +Upstream-Status: Backport +CVE: CVE-2017-17426 +Signed-off-by: Armin Kuster + +--- + ChangeLog | 7 +++++++ + NEWS | 6 ++++++ + malloc/malloc.c | 3 ++- + 3 files changed, 15 insertions(+), 1 deletion(-) + +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -4,6 +4,8 @@ See the end for copying conditions. + + Please send GNU C library bug reports via + using `glibc' in the "product" field. ++ ++[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) + + Version 2.26 + +@@ -215,6 +217,11 @@ Security related changes: + for AT_SECURE or SUID binaries could be used to load libraries from the + current directory. + ++ CVE-2017-17426: The malloc function, when called with an object size near ++ the value SIZE_MAX, would return a pointer to a buffer which is too small, ++ instead of NULL. This was a regression introduced with the new malloc ++ thread cache in glibc 2.26. Reported by Iain Buclaw. ++ + The following bugs are resolved with this release: + + [984] network: Respond to changed resolv.conf in gethostbyname +Index: git/malloc/malloc.c +=================================================================== +--- git.orig/malloc/malloc.c ++++ git/malloc/malloc.c +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes) + return (*hook)(bytes, RETURN_ADDRESS (0)); + #if USE_TCACHE + /* int_free also calls request2size, be careful to not pad twice. */ +- size_t tbytes = request2size (bytes); ++ size_t tbytes; ++ checked_request2size (bytes, tbytes); + size_t tc_idx = csize2tidx (tbytes); + + MAYBE_INIT_TCACHE (); +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,10 @@ ++2017-11-30 Arjun Shankar ++ ++ [BZ #22375] ++ CVE-2017-17426 ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size ++ instead of request2size. ++ + 2017-12-30 Aurelien Jarno + Dmitry V. Levin + diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index caf8e37189..cc7d3cd596 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb @@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://CVE-2017-15671.patch \ file://0029-assert-Support-types-without-operator-int-BZ-21972.patch \ file://CVE-2017-16997.patch \ + file://CVE-2017-17426.patch \ " NATIVESDKFIXES ?= "" -- cgit 1.2.3-korg