[glibc/f20] Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).

[Siddhesh Poyarekar]

commit 349064e5e6516472cf257b870ef6258c10d29802
Author: Siddhesh Poyarekar <siddhesh at redhat.com>
Date:   Mon Sep 16 15:29:03 2013 +0530

    Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).

 glibc-rh1008299.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++++
 glibc.spec            |    7 ++++++-
 2 files changed, 52 insertions(+), 1 deletions(-)
---
diff --git a/glibc-rh1008299.patch b/glibc-rh1008299.patch
new file mode 100644
index 0000000..3783b03
--- /dev/null
+++ b/glibc-rh1008299.patch
@@ -0,0 +1,46 @@
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 3148c5f..f7718a9 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
+   /* Otherwise, ensure that it is at least a minimum chunk size */
+   if (alignment <  MINSIZE) alignment = MINSIZE;
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - alignment - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   arena_get(ar_ptr, bytes + alignment + MINSIZE);
+   if(!ar_ptr)
+     return 0;
+@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
+ 
+   size_t pagesz = GLRO(dl_pagesize);
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - pagesz - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   void *(*hook) (size_t, size_t, const void *) =
+     force_reg (__memalign_hook);
+   if (__builtin_expect (hook != NULL, 0))
+@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
+   size_t page_mask = GLRO(dl_pagesize) - 1;
+   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+ 
++  /* Check for overflow.  */
++  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++    {
++      __set_errno (ENOMEM);
++      return 0;
++    }
++
+   void *(*hook) (size_t, size_t, const void *) =
+     force_reg (__memalign_hook);
+   if (__builtin_expect (hook != NULL, 0))
diff --git a/glibc.spec b/glibc.spec
index f639c07..305a726 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -1,6 +1,6 @@
 %define glibcsrcdir glibc-2.18
 %define glibcversion 2.18
-%define glibcrelease 6%{?dist}
+%define glibcrelease 7%{?dist}
 # Pre-release tarballs are pulled in from git using a command that is
 # effectively:
 #
@@ -184,6 +184,7 @@ Patch0042: %{name}-rh970865.patch
 # Patches from upstream
 #
 Patch1001: %{name}-rh995841.patch
+Patch1002: %{name}-rh1008299.patch
 
 #
 # Patches submitted, but not yet approved upstream.
@@ -543,6 +544,7 @@ package or when debugging this package.
 %patch0042 -p1
 %patch2029 -p1
 %patch2030 -p1
+%patch1002 -p1
 
 ##############################################################################
 # %%prep - Additional prep required...
@@ -1628,6 +1630,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Mon Sep 16 2013 Siddhesh Poyarekar <siddhesh at redhat.com> - 2.18-7
+- Fix integer overflows in *valloc and memalign (CVE-2013-4332, #1008299).
+
 * Thu Aug 29 2013 Carlos O'Donell <carlos at redhat.com> - 2.18-6
 - Fix Power build (#997531).