Commit | Line | Data |
---|---|---|
65a1c84a VM |
1 | From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 |
2 | From: mancha <mancha1@hush.com> | |
3 | Date: Wed, 11 Sep 2013 | |
4 | Subject: CVE-2013-4332 | |
5 | ||
6 | malloc: Check for integer overflow in pvalloc, valloc, and memalign. | |
7 | ||
8 | A large bytes parameter to pvalloc, valloc, or memalign could cause | |
9 | an integer overflow and corrupt allocator internals. Check the | |
10 | overflow does not occur before continuing with the allocation. | |
11 | ||
12 | Note: This is a backport to glibc 2.17 of the following three commits: | |
13 | * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a | |
14 | * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef | |
15 | * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d | |
16 | --- | |
17 | ||
18 | malloc.c | 21 +++++++++++++++++++++ | |
19 | 1 file changed, 21 insertions(+) | |
20 | ||
21 | --- a/malloc/malloc.c | |
22 | +++ b/malloc/malloc.c | |
23 | @@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t | |
24 | /* Otherwise, ensure that it is at least a minimum chunk size */ | |
25 | if (alignment < MINSIZE) alignment = MINSIZE; | |
26 | ||
27 | + /* Check for overflow. */ | |
28 | + if (bytes > SIZE_MAX - alignment - MINSIZE) | |
29 | + { | |
30 | + __set_errno (ENOMEM); | |
31 | + return 0; | |
32 | + } | |
33 | + | |
34 | arena_get(ar_ptr, bytes + alignment + MINSIZE); | |
35 | if(!ar_ptr) | |
36 | return 0; | |
37 | @@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) | |
38 | ||
39 | size_t pagesz = GLRO(dl_pagesize); | |
40 | ||
41 | + /* Check for overflow. */ | |
42 | + if (bytes > SIZE_MAX - pagesz - MINSIZE) | |
43 | + { | |
44 | + __set_errno (ENOMEM); | |
45 | + return 0; | |
46 | + } | |
47 | + | |
48 | __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, | |
49 | const __malloc_ptr_t)) = | |
50 | force_reg (__memalign_hook); | |
51 | @@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) | |
52 | size_t page_mask = GLRO(dl_pagesize) - 1; | |
53 | size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); | |
54 | ||
55 | + /* Check for overflow. */ | |
56 | + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) | |
57 | + { | |
58 | + __set_errno (ENOMEM); | |
59 | + return 0; | |
60 | + } | |
61 | + | |
62 | __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, | |
63 | const __malloc_ptr_t)) = | |
64 | force_reg (__memalign_hook); |