[OE-core] [PATCH] glibc:CVE-2017-17426

Burton, Ross ross.burton at intel.com
Fri Jan 19 17:32:24 UTC 2018 

This needs rebasing to master, and I suspect your email servers are
corrupting your mails as I often have to go and fix up your patches which
have had long lines wrapped:

Applying: glibc:CVE-2017-17426
error: corrupt patch at line 64

Ross

On 17 January 2018 at 02:46, Huang, Qiyu <huangqy.fnst at cn.fujitsu.com>
wrote:

> ping
>
>
> > -----Original Message-----
> > From: Huang, Qiyu
> > Sent: Wednesday, December 20, 2017 4:11 PM
> > To: openembedded-core at lists.openembedded.org
> > Cc: Huang, Qiyu <huangqy.fnst at cn.fujitsu.com>
> > Subject: [OE-core][PATCH] glibc:CVE-2017-17426
> >
> > Fix the CVE-2017-17426.
> >
> > Signed-off-by: Huang Qiyu <huangqy.fnst at cn.fujitsu.com>
> > ---
> >  ...-overflow-in-malloc-when-tcache-is-enable.patch | 52
> > ++++++++++++++++++++++
> >  meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
> >  2 files changed, 53 insertions(+)
> >  create mode 100644
> > meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-
> malloc-when-tcache
> > -is-enable.patch
> >
> > diff --git
> > a/meta/recipes-core/glibc/glibc/0029-Fix-integer-
> overflow-in-malloc-when-tcac
> > he-is-enable.patch
> > b/meta/recipes-core/glibc/glibc/0029-Fix-integer-
> overflow-in-malloc-when-tcac
> > he-is-enable.patch
> > new file mode 100644
> > index 0000000..623bed7
> > --- /dev/null
> > +++ b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-
> > +++ when-tcache-is-enable.patch
> > @@ -0,0 +1,52 @@
> > +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00
> > 2001
> > +From: Arjun Shankar <arjun at redhat.com>
> > +Date: Thu, 30 Nov 2017 13:31:45 +0100
> > +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled
> > +[BZ  #22375]
> > +
> > +When the per-thread cache is enabled, __libc_malloc uses request2size
> > +(which does not perform an overflow check) to calculate the chunk size
> > +from the requested allocation size. This leads to an integer overflow
> > +causing malloc to incorrectly return the last successfully allocated
> > +block when called with a very large size argument (close to SIZE_MAX).
> > +
> > +This commit uses checked_request2size instead, removing the overflow.
> > +
> > +Upstream-status: Backport
> > +---
> > + ChangeLog       | 6 ++++++
> > + malloc/malloc.c | 3 ++-
> > + 2 files changed, 8 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/ChangeLog b/ChangeLog
> > +index b55ed22..888f9fb 100644
> > +--- a/ChangeLog
> > ++++ b/ChangeLog
> > +@@ -1,3 +1,9 @@
> > ++2017-11-30  Arjun Shankar  <arjun at redhat.com>
> > ++
> > ++    [BZ #22375]
> > ++    * malloc/malloc.c (__libc_malloc): Use checked_request2size
> > ++    instead of request2size.
> > ++
> > + 2017-08-02  Siddhesh Poyarekar  <siddhesh at sourceware.org>
> > +
> > +     * sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S
> > +diff --git a/malloc/malloc.c b/malloc/malloc.c index 79f0e9e..0c9e074
> > +100644
> > +--- a/malloc/malloc.c
> > ++++ b/malloc/malloc.c
> > +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
> > +     return (*hook)(bytes, RETURN_ADDRESS (0));  #if USE_TCACHE
> > +   /* int_free also calls request2size, be careful to not pad twice.
> > +*/
> > +-  size_t tbytes = request2size (bytes);
> > ++  size_t tbytes;
> > ++  checked_request2size (bytes, tbytes);
> > +   size_t tc_idx = csize2tidx (tbytes);
> > +
> > +   MAYBE_INIT_TCACHE ();
> > +--
> > +2.7.4
> > +
> > diff --git a/meta/recipes-core/glibc/glibc_2.26.bb
> > b/meta/recipes-core/glibc/glibc_2.26.bb
> > index 135ec4f..36b2004 100644
> > --- a/meta/recipes-core/glibc/glibc_2.26.bb
> > +++ b/meta/recipes-core/glibc/glibc_2.26.bb
> > @@ -43,6 +43,7 @@ SRC_URI =
> > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> >
> > file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
> >             file://0027-glibc-reset-dl-load-write-lock-after-forking.patch
> \
> >             file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
> > +
> > + file://0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
> > + \
> >  "
> >
> >  NATIVESDKFIXES ?= ""
> > --
> > 2.7.4
>
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180119/b777afb6/attachment-0002.html>

More information about the Openembedded-core mailing list