development / ports / core-arm.git / blame
| Commit | Line | Data |
|---|---|---|
| 65a1c84a VM |
1 | From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 |
| 2 | From: mancha <mancha1@hush.com> | |
| 3 | Date: Wed, 11 Sep 2013 | |
| 4 | Subject: CVE-2013-4332 | |
| 5 | ||
| 6 | malloc: Check for integer overflow in pvalloc, valloc, and memalign. | |
| 7 | ||
| 8 | A large bytes parameter to pvalloc, valloc, or memalign could cause | |
| 9 | an integer overflow and corrupt allocator internals. Check the | |
| 10 | overflow does not occur before continuing with the allocation. | |
| 11 | ||
| 12 | Note: This is a backport to glibc 2.17 of the following three commits: | |
| 13 | * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a | |
| 14 | * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef | |
| 15 | * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d | |
| 16 | --- | |
| 17 | ||
| 18 | malloc.c | 21 +++++++++++++++++++++ | |
| 19 | 1 file changed, 21 insertions(+) | |
| 20 | ||
| 21 | --- a/malloc/malloc.c | |
| 22 | +++ b/malloc/malloc.c | |
| 23 | @@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t | |
| 24 | /* Otherwise, ensure that it is at least a minimum chunk size */ | |
| 25 | if (alignment < MINSIZE) alignment = MINSIZE; | |
| 26 | ||
| 27 | + /* Check for overflow. */ | |
| 28 | + if (bytes > SIZE_MAX - alignment - MINSIZE) | |
| 29 | + { | |
| 30 | + __set_errno (ENOMEM); | |
| 31 | + return 0; | |
| 32 | + } | |
| 33 | + | |
| 34 | arena_get(ar_ptr, bytes + alignment + MINSIZE); | |
| 35 | if(!ar_ptr) | |
| 36 | return 0; | |
| 37 | @@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) | |
| 38 | ||
| 39 | size_t pagesz = GLRO(dl_pagesize); | |
| 40 | ||
| 41 | + /* Check for overflow. */ | |
| 42 | + if (bytes > SIZE_MAX - pagesz - MINSIZE) | |
| 43 | + { | |
| 44 | + __set_errno (ENOMEM); | |
| 45 | + return 0; | |
| 46 | + } | |
| 47 | + | |
| 48 | __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, | |
| 49 | const __malloc_ptr_t)) = | |
| 50 | force_reg (__memalign_hook); | |
| 51 | @@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) | |
| 52 | size_t page_mask = GLRO(dl_pagesize) - 1; | |
| 53 | size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); | |
| 54 | ||
| 55 | + /* Check for overflow. */ | |
| 56 | + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) | |
| 57 | + { | |
| 58 | + __set_errno (ENOMEM); | |
| 59 | + return 0; | |
| 60 | + } | |
| 61 | + | |
| 62 | __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, | |
| 63 | const __malloc_ptr_t)) = | |
| 64 | force_reg (__memalign_hook); |