[glibc/f20] Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
Siddhesh Poyarekar
siddhesh at fedoraproject.org
Mon Sep 16 09:56:49 UTC 2013
commit 349064e5e6516472cf257b870ef6258c10d29802
Author: Siddhesh Poyarekar <siddhesh at redhat.com>
Date: Mon Sep 16 15:29:03 2013 +0530
Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
glibc-rh1008299.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++++
glibc.spec | 7 ++++++-
2 files changed, 52 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh1008299.patch b/glibc-rh1008299.patch
new file mode 100644
index 0000000..3783b03
--- /dev/null
+++ b/glibc-rh1008299.patch
@@ -0,0 +1,46 @@
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 3148c5f..f7718a9 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
+ /* Otherwise, ensure that it is at least a minimum chunk size */
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - alignment - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ arena_get(ar_ptr, bytes + alignment + MINSIZE);
+ if(!ar_ptr)
+ return 0;
+@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
+
+ size_t pagesz = GLRO(dl_pagesize);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ void *(*hook) (size_t, size_t, const void *) =
+ force_reg (__memalign_hook);
+ if (__builtin_expect (hook != NULL, 0))
+@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
+ size_t page_mask = GLRO(dl_pagesize) - 1;
+ size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ void *(*hook) (size_t, size_t, const void *) =
+ force_reg (__memalign_hook);
+ if (__builtin_expect (hook != NULL, 0))
diff --git a/glibc.spec b/glibc.spec
index f639c07..305a726 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -1,6 +1,6 @@
%define glibcsrcdir glibc-2.18
%define glibcversion 2.18
-%define glibcrelease 6%{?dist}
+%define glibcrelease 7%{?dist}
# Pre-release tarballs are pulled in from git using a command that is
# effectively:
#
@@ -184,6 +184,7 @@ Patch0042: %{name}-rh970865.patch
# Patches from upstream
#
Patch1001: %{name}-rh995841.patch
+Patch1002: %{name}-rh1008299.patch
#
# Patches submitted, but not yet approved upstream.
@@ -543,6 +544,7 @@ package or when debugging this package.
%patch0042 -p1
%patch2029 -p1
%patch2030 -p1
+%patch1002 -p1
##############################################################################
# %%prep - Additional prep required...
@@ -1628,6 +1630,9 @@ rm -f *.filelist*
%endif
%changelog
+* Mon Sep 16 2013 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.18-7
+- Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
+
* Thu Aug 29 2013 Carlos O'Donell <carlos at redhat.com> - 2.18-6
- Fix Power build (#997531).
More information about the scm-commits
mailing list