Hello community, here is the log from the commit of package gc for openSUSE:12.2 checked in at 2012-08-12 15:31:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2/gc (Old) and /work/SRC/openSUSE:12.2/.gc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gc", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.2/gc/gc.changes 2012-06-25 15:19:27.000000000 +0200 +++ /work/SRC/openSUSE:12.2/.gc.new/gc.changes 2012-08-12 15:31:29.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Aug 7 15:23:30 UTC 2012 - [email protected] + +- fix for malloc()/calloc() overflows (CVE-2012-2673, bnc#765444) + +------------------------------------------------------------------- New: ---- 0001-Fix-allocation-size-overflows-due-to-rounding.patch 0001-Fix-calloc-overflow.patch 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch 0001-Speedup-calloc-size-overflow-check-by-preventing-div.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gc.spec ++++++ --- /var/tmp/diff_new_pack.sP1lei/_old 2012-08-12 15:31:29.000000000 +0200 +++ /var/tmp/diff_new_pack.sP1lei/_new 2012-08-12 15:31:29.000000000 +0200 @@ -26,6 +26,11 @@ Group: Development/Libraries/C and C++ Source: %{name}-%{src_ver}.tar.bz2 Patch0: %{name}-build.patch +Patch1: 0001-Fix-allocation-size-overflows-due-to-rounding.patch +Patch2: 0001-Fix-calloc-overflow.patch +Patch3: 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch +Patch4: 0001-Speedup-calloc-size-overflow-check-by-preventing-div.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ BuildRequires: libtool @@ -60,7 +65,8 @@ Summary: A garbage collector for C and C++ Group: Development/Libraries/C and C++ Provides: gc:/usr/include/gc/gc.h -Requires: libgc1 = %version, glibc-devel +Requires: glibc-devel +Requires: libgc1 = %version %description devel The Boehm-Demers-Weiser conservative garbage collector can be used as a @@ -87,6 +93,10 @@ %prep %setup -q -n %{name}-%{src_ver} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build # refresh auto*/libtool to purge rpaths ++++++ 0001-Fix-allocation-size-overflows-due-to-rounding.patch ++++++ >From be9df82919960214ee4b9d3313523bff44fd99e1 Mon Sep 17 00:00:00 2001 From: Xi Wang <[email protected]> Date: Thu, 15 Mar 2012 04:55:08 +0800 Subject: [PATCH] Fix allocation size overflows due to rounding. * malloc.c (GC_generic_malloc): Check if the allocation size is rounded to a smaller value. * mallocx.c (GC_generic_malloc_ignore_off_page): Likewise. --- malloc.c | 2 ++ mallocx.c | 2 ++ 2 files changed, 4 insertions(+), 0 deletions(-) diff --git a/malloc.c b/malloc.c index cc0cc00..899d6ff 100644 --- a/malloc.c +++ b/malloc.c @@ -169,6 +169,8 @@ GC_API void * GC_CALL GC_generic_malloc(size_t lb, int k) GC_bool init; lg = ROUNDED_UP_GRANULES(lb); lb_rounded = GRANULES_TO_BYTES(lg); + if (lb_rounded < lb) + return((*GC_get_oom_fn())(lb)); n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded); init = GC_obj_kinds[k].ok_init; LOCK(); diff --git a/mallocx.c b/mallocx.c index 2c79f41..0d9c0a6 100644 --- a/mallocx.c +++ b/mallocx.c @@ -183,4 +183,6 @@ GC_INNER void * GC_generic_malloc_ignore_off_page(size_t lb, int k) lg = ROUNDED_UP_GRANULES(lb); lb_rounded = GRANULES_TO_BYTES(lg); + if (lb_rounded < lb) + return((*GC_get_oom_fn())(lb)); n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded); init = GC_obj_kinds[k].ok_init; -- 1.7.7 ++++++ 0001-Fix-calloc-overflow.patch ++++++ >From e10c1eb9908c2774c16b3148b30d2f3823d66a9a Mon Sep 17 00:00:00 2001 From: Xi Wang <[email protected]> Date: Thu, 15 Mar 2012 04:46:49 +0800 Subject: [PATCH] Fix calloc() overflow * malloc.c (calloc): Check multiplication overflow in calloc(), assuming REDIRECT_MALLOC. --- malloc.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/malloc.c b/malloc.c index da68f13..cc0cc00 100644 --- a/malloc.c +++ b/malloc.c @@ -372,8 +372,13 @@ void * malloc(size_t lb) } #endif /* GC_LINUX_THREADS */ +#ifndef SIZE_MAX +#define SIZE_MAX (~(size_t)0) +#endif void * calloc(size_t n, size_t lb) { + if (lb && n > SIZE_MAX / lb) + return NULL; # if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */ /* libpthread allocated some memory that is only pointed to by */ /* mmapped thread stacks. Make sure it's not collectable. */ -- 1.7.7 ++++++ 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch ++++++ >From 6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 Mon Sep 17 00:00:00 2001 From: Ivan Maidanski <[email protected]> Date: Thu, 15 Mar 2012 20:30:11 +0400 Subject: [PATCH] Fix calloc-related code to prevent SIZE_MAX redefinition in sys headers * malloc.c: Include limits.h for SIZE_MAX. * malloc.c (SIZE_MAX, calloc): Define GC_SIZE_MAX instead of SIZE_MAX. --- malloc.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) diff --git a/malloc.c b/malloc.c index 899d6ff..cb49a5c 100644 --- a/malloc.c +++ b/malloc.c @@ -374,12 +374,16 @@ void * malloc(size_t lb) } #endif /* GC_LINUX_THREADS */ -#ifndef SIZE_MAX -#define SIZE_MAX (~(size_t)0) +#include <limits.h> +#ifdef SIZE_MAX +# define GC_SIZE_MAX SIZE_MAX +#else +# define GC_SIZE_MAX (~(size_t)0) #endif + void * calloc(size_t n, size_t lb) { - if (lb && n > SIZE_MAX / lb) + if (lb && n > GC_SIZE_MAX / lb) return NULL; # if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */ /* libpthread allocated some memory that is only pointed to by */ -- 1.7.7 ++++++ 0001-Speedup-calloc-size-overflow-check-by-preventing-div.patch ++++++ >From 83231d0ab5ed60015797c3d1ad9056295ac3b2bb Mon Sep 17 00:00:00 2001 From: Hans Boehm <[email protected]> Date: Thu, 15 Mar 2012 21:09:05 +0400 Subject: [PATCH] Speedup calloc size overflow check by preventing division if small values * malloc.c (GC_SQRT_SIZE_MAX): New macro. * malloc.c (calloc): Add fast initial size overflow check to avoid integer division for reasonably small values passed. --- malloc.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/malloc.c b/malloc.c index cb49a5c..c9b9eb6 100644 --- a/malloc.c +++ b/malloc.c @@ -381,9 +381,12 @@ void * malloc(size_t lb) # define GC_SIZE_MAX (~(size_t)0) #endif +#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1) + void * calloc(size_t n, size_t lb) { - if (lb && n > GC_SIZE_MAX / lb) + if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */ + && lb && n > GC_SIZE_MAX / lb) return NULL; # if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */ /* libpthread allocated some memory that is only pointed to by */ -- 1.7.7 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
