ping
> -----Original Message----- > From: Huang, Qiyu > Sent: Wednesday, December 20, 2017 4:11 PM > To: [email protected] > Cc: Huang, Qiyu <[email protected]> > Subject: [OE-core][PATCH] glibc:CVE-2017-17426 > > Fix the CVE-2017-17426. > > Signed-off-by: Huang Qiyu <[email protected]> > --- > ...-overflow-in-malloc-when-tcache-is-enable.patch | 52 > ++++++++++++++++++++++ > meta/recipes-core/glibc/glibc_2.26.bb | 1 + > 2 files changed, 53 insertions(+) > create mode 100644 > meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache > -is-enable.patch > > diff --git > a/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcac > he-is-enable.patch > b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcac > he-is-enable.patch > new file mode 100644 > index 0000000..623bed7 > --- /dev/null > +++ b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc- > +++ when-tcache-is-enable.patch > @@ -0,0 +1,52 @@ > +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 > 2001 > +From: Arjun Shankar <[email protected]> > +Date: Thu, 30 Nov 2017 13:31:45 +0100 > +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled > +[BZ #22375] > + > +When the per-thread cache is enabled, __libc_malloc uses request2size > +(which does not perform an overflow check) to calculate the chunk size > +from the requested allocation size. This leads to an integer overflow > +causing malloc to incorrectly return the last successfully allocated > +block when called with a very large size argument (close to SIZE_MAX). > + > +This commit uses checked_request2size instead, removing the overflow. > + > +Upstream-status: Backport > +--- > + ChangeLog | 6 ++++++ > + malloc/malloc.c | 3 ++- > + 2 files changed, 8 insertions(+), 1 deletion(-) > + > +diff --git a/ChangeLog b/ChangeLog > +index b55ed22..888f9fb 100644 > +--- a/ChangeLog > ++++ b/ChangeLog > +@@ -1,3 +1,9 @@ > ++2017-11-30 Arjun Shankar <[email protected]> > ++ > ++ [BZ #22375] > ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size > ++ instead of request2size. > ++ > + 2017-08-02 Siddhesh Poyarekar <[email protected]> > + > + * sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S > +diff --git a/malloc/malloc.c b/malloc/malloc.c index 79f0e9e..0c9e074 > +100644 > +--- a/malloc/malloc.c > ++++ b/malloc/malloc.c > +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes) > + return (*hook)(bytes, RETURN_ADDRESS (0)); #if USE_TCACHE > + /* int_free also calls request2size, be careful to not pad twice. > +*/ > +- size_t tbytes = request2size (bytes); > ++ size_t tbytes; > ++ checked_request2size (bytes, tbytes); > + size_t tc_idx = csize2tidx (tbytes); > + > + MAYBE_INIT_TCACHE (); > +-- > +2.7.4 > + > diff --git a/meta/recipes-core/glibc/glibc_2.26.bb > b/meta/recipes-core/glibc/glibc_2.26.bb > index 135ec4f..36b2004 100644 > --- a/meta/recipes-core/glibc/glibc_2.26.bb > +++ b/meta/recipes-core/glibc/glibc_2.26.bb > @@ -43,6 +43,7 @@ SRC_URI = > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > > file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \ > file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \ > file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \ > + > + file://0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch > + \ > " > > NATIVESDKFIXES ?= "" > -- > 2.7.4 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
