This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch glibc-2.26 in repository glibc.
commit 3f27ba0ba9c424224bed42a2d6a271bbb4a2b9e0 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Thu Dec 7 00:14:32 2017 +0100 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fix malloc returning pointer from tcache_get when it should returns NULL (CVE-2017-17426). Closes: #883729. --- debian/changelog | 4 +- debian/patches/git-updates.diff | 114 ++++++++++++++++++++++++++++------------ 2 files changed, 82 insertions(+), 36 deletions(-) diff --git a/debian/changelog b/debian/changelog index a3376be..765b1c7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,7 +3,9 @@ glibc (2.26-0experimental2) UNRELEASED; urgency=medium [ Aurelien Jarno ] * debian/testsuite-xfail-debian.mk: move double-lround XFAILs from mips64el to mipsel. - * debian/patches/git-updates.diff: update from upstream stable branch. + * debian/patches/git-updates.diff: update from upstream stable branch: + - Fix malloc returning pointer from tcache_get when it should returns + NULL (CVE-2017-17426). Closes: #883729. * debian/control.in/libc: add a Breaks: libperl5.26 (<< 5.26.1-3) to @libc@-dev to handle the xlocale.h removal. Closes: #883392. * debian/control.in/main: point the Vcs-Git field to the glibc-2.26 branch diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index 9b652ee..1d7d929 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,23 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.26/master from glibc-2.26 diff --git a/ChangeLog b/ChangeLog -index 8dbfc7eaff..fab886ab01 100644 +index 8dbfc7eaff..42224c0a2f 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,987 @@ +@@ -1,3 +1,1000 @@ ++2017-10-15 H.J. Lu <hongjiu...@intel.com> ++ ++ [BZ #22052] ++ * malloc/hooks.c (realloc_check): Use DIAG_IGNORE_NEEDS_COMMENT ++ to silence -O3 -Wall warning with GCC 7. ++ ++2017-11-30 Arjun Shankar <ar...@redhat.com> ++ ++ [BZ #22375] ++ CVE-2017-17426 ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size ++ instead of request2size. ++ +2017-11-02 Florian Weimer <fwei...@redhat.com> + + [BZ #22332] @@ -1016,10 +1029,10 @@ index 9bb707c168..828a445f24 100644 # Don't try to use -lc when making libc.so itself. # Also omits crti.o and crtn.o, which we do not want diff --git a/NEWS b/NEWS -index 8295f20c0a..61bffe0451 100644 +index 8295f20c0a..8810b57cd9 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,74 @@ See the end for copying conditions. +@@ -5,6 +5,81 @@ See the end for copying conditions. Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> using `glibc' in the "product" field. @@ -1057,6 +1070,11 @@ index 8295f20c0a..61bffe0451 100644 + without GLOB_NOESCAPE, could write past the end of a buffer while + unescaping user names. Reported by Tim Rühsen. + ++ CVE-2017-17426: The malloc function, when called with an object size near ++ the value SIZE_MAX, would return a pointer to a buffer which is too small, ++ instead of NULL. This was a regression introduced with the new malloc ++ thread cache in glibc 2.26. Reported by Iain Buclaw. ++ +The following bugs are resolved with this release: + + [16750] ldd: Never run file directly. @@ -1076,6 +1094,7 @@ index 8295f20c0a..61bffe0451 100644 + occur with -O3 + [21987] Fix sparc32 bits/long-double.h + [22051] libc: zero terminator in the middle of glibc's .eh_frame ++ [22052] malloc failed to compile with GCC 7 and -O3 + [22078] nss_files performance issue in hosts multi mode + [22093] x86: Add x86_64 to x86-64 HWCAP + [22095] resolv: Fix memory leak with OOM during resolv.conf parsing @@ -1090,6 +1109,7 @@ index 8295f20c0a..61bffe0451 100644 + [22321] sysconf: Fix missing definition of UIO_MAXIOV on Linux + [22322] libc: [mips64] wrong bits/long-double.h installed + [22325] glibc: Memory leak in glob with GLOB_TILDE (CVE-2017-15671) ++ [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) + Version 2.26 @@ -1608,7 +1628,7 @@ index e6dc9fbc68..63c981bf61 100644 if (list->array == scratch) { diff --git a/malloc/hooks.c b/malloc/hooks.c -index 1d80be20d2..4398c0a017 100644 +index 1d80be20d2..2c6cebc889 100644 --- a/malloc/hooks.c +++ b/malloc/hooks.c @@ -121,12 +121,7 @@ malloc_check_get_size (mchunkptr p) @@ -1731,7 +1751,7 @@ index 1d80be20d2..4398c0a017 100644 if (newmem) { memcpy (newmem, oldmem, oldsize - 2 * SIZE_SZ); -@@ -386,12 +341,10 @@ realloc_check (void *oldmem, size_t bytes, const void *caller) +@@ -386,19 +341,24 @@ realloc_check (void *oldmem, size_t bytes, const void *caller) } else { @@ -1747,8 +1767,22 @@ index 1d80be20d2..4398c0a017 100644 + newmem = _int_realloc (&main_arena, oldp, oldsize, nb); } ++ DIAG_PUSH_NEEDS_COMMENT; ++#if __GNUC_PREREQ (7, 0) ++ /* GCC 7 warns about magic_p may be used uninitialized. But we never ++ reach here if magic_p is uninitialized. */ ++ DIAG_IGNORE_NEEDS_COMMENT (7, "-Wmaybe-uninitialized"); ++#endif /* mem2chunk_check changed the magic byte in the old chunk. -@@ -441,8 +394,8 @@ memalign_check (size_t alignment, size_t bytes, const void *caller) + If newmem is NULL, then the old chunk will still be used though, + so we need to invert that change here. */ + if (newmem == NULL) + *magic_p ^= 0xFF; ++ DIAG_POP_NEEDS_COMMENT; + + __libc_lock_unlock (main_arena.mutex); + +@@ -441,8 +401,8 @@ memalign_check (size_t alignment, size_t bytes, const void *caller) } __libc_lock_lock (main_arena.mutex); @@ -1760,7 +1794,7 @@ index 1d80be20d2..4398c0a017 100644 return mem2mem_check (mem, bytes); } diff --git a/malloc/malloc.c b/malloc/malloc.c -index 54e406bcb6..7783d05651 100644 +index 54e406bcb6..6a52c288de 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -243,6 +243,9 @@ @@ -2025,7 +2059,17 @@ index 54e406bcb6..7783d05651 100644 } text_set_element (__libc_thread_subfreeres, tcache_thread_freeres); -@@ -3066,6 +3045,14 @@ __libc_malloc (size_t bytes) +@@ -3050,7 +3029,8 @@ __libc_malloc (size_t bytes) + return (*hook)(bytes, RETURN_ADDRESS (0)); + #if USE_TCACHE + /* int_free also calls request2size, be careful to not pad twice. */ +- size_t tbytes = request2size (bytes); ++ size_t tbytes; ++ checked_request2size (bytes, tbytes); + size_t tc_idx = csize2tidx (tbytes); + + MAYBE_INIT_TCACHE (); +@@ -3066,6 +3046,14 @@ __libc_malloc (size_t bytes) DIAG_POP_NEEDS_COMMENT; #endif @@ -2040,7 +2084,7 @@ index 54e406bcb6..7783d05651 100644 arena_get (ar_ptr, bytes); victim = _int_malloc (ar_ptr, bytes); -@@ -3177,11 +3164,7 @@ __libc_realloc (void *oldmem, size_t bytes) +@@ -3177,11 +3165,7 @@ __libc_realloc (void *oldmem, size_t bytes) if ((__builtin_expect ((uintptr_t) oldp > (uintptr_t) -oldsize, 0) || __builtin_expect (misaligned_chunk (oldp), 0)) && !DUMPED_MAIN_ARENA_CHUNK (oldp)) @@ -2053,7 +2097,7 @@ index 54e406bcb6..7783d05651 100644 checked_request2size (bytes, nb); -@@ -3226,6 +3209,15 @@ __libc_realloc (void *oldmem, size_t bytes) +@@ -3226,6 +3210,15 @@ __libc_realloc (void *oldmem, size_t bytes) return newmem; } @@ -2069,7 +2113,7 @@ index 54e406bcb6..7783d05651 100644 __libc_lock_lock (ar_ptr->mutex); newp = _int_realloc (ar_ptr, oldp, oldsize, nb); -@@ -3301,6 +3293,15 @@ _mid_memalign (size_t alignment, size_t bytes, void *address) +@@ -3301,6 +3294,15 @@ _mid_memalign (size_t alignment, size_t bytes, void *address) alignment = a; } @@ -2085,7 +2129,7 @@ index 54e406bcb6..7783d05651 100644 arena_get (ar_ptr, bytes + alignment + MINSIZE); p = _int_memalign (ar_ptr, alignment, bytes); -@@ -3393,7 +3394,11 @@ __libc_calloc (size_t n, size_t elem_size) +@@ -3393,7 +3395,11 @@ __libc_calloc (size_t n, size_t elem_size) MAYBE_INIT_TCACHE (); @@ -2098,7 +2142,7 @@ index 54e406bcb6..7783d05651 100644 if (av) { /* Check if we hand out the top chunk, in which case there may be no -@@ -3423,19 +3428,21 @@ __libc_calloc (size_t n, size_t elem_size) +@@ -3423,19 +3429,21 @@ __libc_calloc (size_t n, size_t elem_size) } mem = _int_malloc (av, sz); @@ -2128,7 +2172,7 @@ index 54e406bcb6..7783d05651 100644 /* Allocation failed even after a retry. */ if (mem == 0) -@@ -3527,8 +3534,6 @@ _int_malloc (mstate av, size_t bytes) +@@ -3527,8 +3535,6 @@ _int_malloc (mstate av, size_t bytes) size_t tcache_unsorted_count; /* count of unsorted chunks processed */ #endif @@ -2137,7 +2181,7 @@ index 54e406bcb6..7783d05651 100644 /* Convert request size to internal form by adding SIZE_SZ bytes overhead plus possibly more to obtain necessary alignment and/or -@@ -3570,42 +3575,50 @@ _int_malloc (mstate av, size_t bytes) +@@ -3570,42 +3576,50 @@ _int_malloc (mstate av, size_t bytes) { idx = fastbin_index (nb); mfastbinptr *fb = &fastbin (av, idx); @@ -2218,7 +2262,7 @@ index 54e406bcb6..7783d05651 100644 } /* -@@ -3628,11 +3641,9 @@ _int_malloc (mstate av, size_t bytes) +@@ -3628,11 +3642,9 @@ _int_malloc (mstate av, size_t bytes) else { bck = victim->bk; @@ -2233,7 +2277,7 @@ index 54e406bcb6..7783d05651 100644 set_inuse_bit_at_offset (victim, nb); bin->bk = bck; bck->fd = bin; -@@ -3687,7 +3698,7 @@ _int_malloc (mstate av, size_t bytes) +@@ -3687,7 +3699,7 @@ _int_malloc (mstate av, size_t bytes) else { idx = largebin_index (nb); @@ -2242,7 +2286,7 @@ index 54e406bcb6..7783d05651 100644 malloc_consolidate (av); } -@@ -3723,8 +3734,7 @@ _int_malloc (mstate av, size_t bytes) +@@ -3723,8 +3735,7 @@ _int_malloc (mstate av, size_t bytes) if (__builtin_expect (chunksize_nomask (victim) <= 2 * SIZE_SZ, 0) || __builtin_expect (chunksize_nomask (victim) > av->system_mem, 0)) @@ -2252,7 +2296,7 @@ index 54e406bcb6..7783d05651 100644 size = chunksize (victim); /* -@@ -3929,11 +3939,8 @@ _int_malloc (mstate av, size_t bytes) +@@ -3929,11 +3940,8 @@ _int_malloc (mstate av, size_t bytes) have to perform a complete insert here. */ bck = unsorted_chunks (av); fwd = bck->fd; @@ -2266,7 +2310,7 @@ index 54e406bcb6..7783d05651 100644 remainder->bk = bck; remainder->fd = fwd; bck->fd = remainder; -@@ -4036,11 +4043,8 @@ _int_malloc (mstate av, size_t bytes) +@@ -4036,11 +4044,8 @@ _int_malloc (mstate av, size_t bytes) have to perform a complete insert here. */ bck = unsorted_chunks (av); fwd = bck->fd; @@ -2280,7 +2324,7 @@ index 54e406bcb6..7783d05651 100644 remainder->bk = bck; remainder->fd = fwd; bck->fd = remainder; -@@ -4102,7 +4106,7 @@ _int_malloc (mstate av, size_t bytes) +@@ -4102,7 +4107,7 @@ _int_malloc (mstate av, size_t bytes) /* When we are using atomic ops to free fast chunks we can get here for all block sizes. */ @@ -2289,7 +2333,7 @@ index 54e406bcb6..7783d05651 100644 { malloc_consolidate (av); /* restore original bin index */ -@@ -4141,9 +4145,6 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4141,9 +4146,6 @@ _int_free (mstate av, mchunkptr p, int have_lock) mchunkptr bck; /* misc temp for linking */ mchunkptr fwd; /* misc temp for linking */ @@ -2299,7 +2343,7 @@ index 54e406bcb6..7783d05651 100644 size = chunksize (p); /* Little security check which won't hurt performance: the -@@ -4152,21 +4153,11 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4152,21 +4154,11 @@ _int_free (mstate av, mchunkptr p, int have_lock) here by accident or by "design" from some intruder. */ if (__builtin_expect ((uintptr_t) p > (uintptr_t) -size, 0) || __builtin_expect (misaligned_chunk (p), 0)) @@ -2323,7 +2367,7 @@ index 54e406bcb6..7783d05651 100644 check_inuse_chunk(av, p); -@@ -4205,60 +4196,59 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4205,60 +4197,59 @@ _int_free (mstate av, mchunkptr p, int have_lock) || __builtin_expect (chunksize (chunk_at_offset (p, size)) >= av->system_mem, 0)) { @@ -2421,7 +2465,7 @@ index 54e406bcb6..7783d05651 100644 } /* -@@ -4266,42 +4256,33 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4266,42 +4257,33 @@ _int_free (mstate av, mchunkptr p, int have_lock) */ else if (!chunk_is_mmapped(p)) { @@ -2474,7 +2518,7 @@ index 54e406bcb6..7783d05651 100644 free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); -@@ -4333,10 +4314,7 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4333,10 +4315,7 @@ _int_free (mstate av, mchunkptr p, int have_lock) bck = unsorted_chunks(av); fwd = bck->fd; if (__glibc_unlikely (fwd->bk != bck)) @@ -2486,7 +2530,7 @@ index 54e406bcb6..7783d05651 100644 p->fd = fwd; p->bk = bck; if (!in_smallbin_range(size)) -@@ -4379,7 +4357,7 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4379,7 +4358,7 @@ _int_free (mstate av, mchunkptr p, int have_lock) */ if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD) { @@ -2495,7 +2539,7 @@ index 54e406bcb6..7783d05651 100644 malloc_consolidate(av); if (av == &main_arena) { -@@ -4398,10 +4376,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) +@@ -4398,10 +4377,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) } } @@ -2507,7 +2551,7 @@ index 54e406bcb6..7783d05651 100644 } /* If the chunk was allocated via mmap, release via munmap(). -@@ -4450,7 +4426,7 @@ static void malloc_consolidate(mstate av) +@@ -4450,7 +4427,7 @@ static void malloc_consolidate(mstate av) */ if (get_max_fast () != 0) { @@ -2516,7 +2560,7 @@ index 54e406bcb6..7783d05651 100644 unsorted_bin = unsorted_chunks(av); -@@ -4549,17 +4525,10 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, +@@ -4549,17 +4526,10 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, INTERNAL_SIZE_T* s; /* copy source */ INTERNAL_SIZE_T* d; /* copy destination */ @@ -2535,7 +2579,7 @@ index 54e406bcb6..7783d05651 100644 check_inuse_chunk (av, oldp); -@@ -4570,10 +4539,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, +@@ -4570,10 +4540,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, INTERNAL_SIZE_T nextsize = chunksize (next); if (__builtin_expect (chunksize_nomask (next) <= 2 * SIZE_SZ, 0) || __builtin_expect (nextsize >= av->system_mem, 0)) @@ -2547,7 +2591,7 @@ index 54e406bcb6..7783d05651 100644 if ((unsigned long) (oldsize) >= (unsigned long) (nb)) { -@@ -4798,10 +4764,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) +@@ -4798,10 +4765,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) static int mtrim (mstate av, size_t pad) { @@ -2558,7 +2602,7 @@ index 54e406bcb6..7783d05651 100644 /* Ensure initialization/consolidation */ malloc_consolidate (av); -@@ -5113,8 +5075,6 @@ static inline int +@@ -5113,8 +5076,6 @@ static inline int __always_inline do_set_mallopt_check (int32_t value) { @@ -2567,7 +2611,7 @@ index 54e406bcb6..7783d05651 100644 return 1; } -@@ -5388,32 +5348,10 @@ libc_hidden_def (__libc_mallopt) +@@ -5388,32 +5349,10 @@ libc_hidden_def (__libc_mallopt) extern char **__libc_argv attribute_hidden; static void -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git