From: Huang Qiyu <huangqy.f...@cn.fujitsu.com> Affects glibc < 2.27 including current master hash 77f921dac17c5fa99bd9e926d926c327982895f7
Signed-off-by: Huang Qiyu <huangqy.f...@cn.fujitsu.com> [v2] Rebased on new master Signed-off-by: Armin Kuster <akuster...@gmail.com> --- meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 53 ++++++++++++++++++++++ meta/recipes-core/glibc/glibc_2.26.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-17426.patch diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch new file mode 100644 index 0000000..fadaf70 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch @@ -0,0 +1,53 @@ +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar <ar...@redhat.com> +Date: Thu, 30 Nov 2017 13:31:45 +0100 +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ + #22375] + +When the per-thread cache is enabled, __libc_malloc uses request2size (which +does not perform an overflow check) to calculate the chunk size from the +requested allocation size. This leads to an integer overflow causing malloc +to incorrectly return the last successfully allocated block when called with +a very large size argument (close to SIZE_MAX). + +This commit uses checked_request2size instead, removing the overflow. + +Upstream-Statsu: Backport +CVE: CVE-2017-17426 +Signed-off-by: Huang Qiyu <huangqy.f...@cn.fujitsu.com> +Rebase on new master +Signed-off-by: Armin Kuster <akus...@mvista.com> + +--- + ChangeLog | 6 ++++++ + malloc/malloc.c | 3 ++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +Index: git/malloc/malloc.c +=================================================================== +--- git.orig/malloc/malloc.c ++++ git/malloc/malloc.c +@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes) + return (*hook)(bytes, RETURN_ADDRESS (0)); + #if USE_TCACHE + /* int_free also calls request2size, be careful to not pad twice. */ +- size_t tbytes = request2size (bytes); ++ size_t tbytes; ++ checked_request2size (bytes, tbytes); + size_t tc_idx = csize2tidx (tbytes); + + MAYBE_INIT_TCACHE (); +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-30 Arjun Shankar <ar...@redhat.com> ++ ++ [BZ #22375] ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size ++ instead of request2size. ++ + 2017-12-30 Aurelien Jarno <aurel...@aurel32.net> + Dmitry V. Levin <l...@altlinux.org> + diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 456ce12..ff3197b 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb @@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ file://CVE-2017-15671.patch \ file://CVE-2017-16997.patch \ + file://CVE-2017-17426.patch \ " NATIVESDKFIXES ?= "" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core