diff options
| author | Huang Qiyu <huangqy.fnst@cn.fujitsu.com> | 2018-01-21 16:13:06 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-22 23:25:47 +0000 |
| commit | a273d099c3bc73736579b7b6ead2572721f16d2a (patch) | |
| tree | db5c8233e63a83ad40e938ce64a5b82dae0609c7 | |
| parent | f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f (diff) | |
| download | openembedded-core-a273d099c3bc73736579b7b6ead2572721f16d2a.tar.gz openembedded-core-a273d099c3bc73736579b7b6ead2572721f16d2a.tar.bz2 openembedded-core-a273d099c3bc73736579b7b6ead2572721f16d2a.zip | |
glibc: Security Fix CVE-2017-17426
Affects glibc < 2.27 including current master
hash 77f921dac17c5fa99bd9e926d926c327982895f7
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
[v2]
Rebased on new master
[v3]
Fix typo in patch status
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
| -rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 53 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc_2.26.bb | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch new file mode 100644 index 0000000000..bfa58bc1d6 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch @@ -0,0 +1,53 @@ +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar <arjun@redhat.com> +Date: Thu, 30 Nov 2017 13:31:45 +0100 +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ + #22375] + +When the per-thread cache is enabled, __libc_malloc uses request2size (which +does not perform an overflow check) to calculate the chunk size from the +requested allocation size. This leads to an integer overflow causing malloc +to incorrectly return the last successfully allocated block when called with +a very large size argument (close to SIZE_MAX). + +This commit uses checked_request2size instead, removing the overflow. + +Upstream-Status: Backport +CVE: CVE-2017-17426 +Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> +Rebase on new master +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ChangeLog | 6 ++++++ + malloc/malloc.c | 3 ++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +Index: git/malloc/malloc.c +=================================================================== +--- git.orig/malloc/malloc.c ++++ git/malloc/malloc.c +@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes) + return (*hook)(bytes, RETURN_ADDRESS (0)); + #if USE_TCACHE + /* int_free also calls request2size, be careful to not pad twice. */ +- size_t tbytes = request2size (bytes); ++ size_t tbytes; ++ checked_request2size (bytes, tbytes); + size_t tc_idx = csize2tidx (tbytes); + + MAYBE_INIT_TCACHE (); +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-30 Arjun Shankar <arjun@redhat.com> ++ ++ [BZ #22375] ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size ++ instead of request2size. ++ + 2017-12-30 Aurelien Jarno <aurelien@aurel32.net> + Dmitry V. Levin <ldv@altlinux.org> + diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 456ce12d76..ff3197bb23 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb @@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ file://CVE-2017-15671.patch \ file://CVE-2017-16997.patch \ + file://CVE-2017-17426.patch \ " NATIVESDKFIXES ?= "" |