[oe-commits] [openembedded-core] 05/07: glibc: Security fix CVE-2017-17426

git at git.openembedded.org git at git.openembedded.org
Thu Jan 25 11:36:50 UTC 2018 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch rocko
in repository openembedded-core.

commit 050fecc47c84e1a052a6e33414fbcfeef1e59f7a
Author: Armin Kuster <akuster808 at gmail.com>
AuthorDate: Sat Jan 20 09:50:26 2018 -0800

    glibc: Security fix CVE-2017-17426
    
    affects < 2.27
    including current mastet git hash: 77f921dac17c5fa99bd9e926d926c327982895f7
    
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 80 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
 2 files changed, 81 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
new file mode 100644
index 0000000..c7d1cb8
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
@@ -0,0 +1,80 @@
+From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun at redhat.com>
+Date: Thu, 30 Nov 2017 13:31:45 +0100
+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
+ #22375]
+
+When the per-thread cache is enabled, __libc_malloc uses request2size (which
+does not perform an overflow check) to calculate the chunk size from the
+requested allocation size. This leads to an integer overflow causing malloc
+to incorrectly return the last successfully allocated block when called with
+a very large size argument (close to SIZE_MAX).
+
+This commit uses checked_request2size instead, removing the overflow.
+
+(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6)
+
+Upstream-Status: Backport
+CVE: CVE-2017-17426
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ ChangeLog       | 7 +++++++
+ NEWS            | 6 ++++++
+ malloc/malloc.c | 3 ++-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -4,6 +4,8 @@ See the end for copying conditions.
+ 
+ Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
+ using `glibc' in the "product" field.
++
++[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
+ 
+ Version 2.26
+ 
+@@ -215,6 +217,11 @@ Security related changes:
+   for AT_SECURE or SUID binaries could be used to load libraries from the
+   current directory.
+ 
++  CVE-2017-17426: The malloc function, when called with an object size near
++  the value SIZE_MAX, would return a pointer to a buffer which is too small,
++  instead of NULL.  This was a regression introduced with the new malloc
++  thread cache in glibc 2.26.  Reported by Iain Buclaw.
++
+ The following bugs are resolved with this release:
+ 
+   [984] network: Respond to changed resolv.conf in gethostbyname
+Index: git/malloc/malloc.c
+===================================================================
+--- git.orig/malloc/malloc.c
++++ git/malloc/malloc.c
+@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
+     return (*hook)(bytes, RETURN_ADDRESS (0));
+ #if USE_TCACHE
+   /* int_free also calls request2size, be careful to not pad twice.  */
+-  size_t tbytes = request2size (bytes);
++  size_t tbytes;
++  checked_request2size (bytes, tbytes);
+   size_t tc_idx = csize2tidx (tbytes);
+ 
+   MAYBE_INIT_TCACHE ();
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,10 @@
++2017-11-30  Arjun Shankar  <arjun at redhat.com>
++
++       [BZ #22375]
++       CVE-2017-17426
++       * malloc/malloc.c (__libc_malloc): Use checked_request2size
++       instead of request2size.
++
+ 2017-12-30  Aurelien Jarno  <aurelien at aurel32.net>
+            Dmitry V. Levin  <ldv at altlinux.org>
+ 
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index caf8e37..cc7d3cd 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://CVE-2017-15671.patch \
            file://0029-assert-Support-types-without-operator-int-BZ-21972.patch \
            file://CVE-2017-16997.patch \
+           file://CVE-2017-17426.patch \
 "
 
 NATIVESDKFIXES ?= ""

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list