On 12/27/2017 09:19 PM, Huang Qiyu wrote:
> Fix the CVE-2017-17426.
Is this fix in master?
- armin
>
> Signed-off-by: Huang Qiyu <huangqy.f...@cn.fujitsu.com>
> ---
> ...-overflow-in-malloc-when-tcache-is-enable.patch | 49
> ++++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.26.bb | 1 +
> 2 files changed, 50 insertions(+)
> create mode 100644
> meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
>
> diff --git
> a/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
>
> b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
> new file mode 100644
> index 0000000..fb52be5
> --- /dev/null
> +++
> b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
> @@ -0,0 +1,49 @@
> +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
> +From: Arjun Shankar <ar...@redhat.com>
> +Date: Thu, 30 Nov 2017 13:31:45 +0100
> +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
> + #22375]
> +
> +When the per-thread cache is enabled, __libc_malloc uses request2size (which
> +does not perform an overflow check) to calculate the chunk size from the
> +requested allocation size. This leads to an integer overflow causing malloc
> +to incorrectly return the last successfully allocated block when called with
> +a very large size argument (close to SIZE_MAX).
> +
> +This commit uses checked_request2size instead, removing the overflow.
> +---
> + ChangeLog | 6 ++++++
> + malloc/malloc.c | 3 ++-
> + 2 files changed, 8 insertions(+), 1 deletion(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index b55ed22..888f9fb 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,9 @@
> ++2017-11-30 Arjun Shankar <ar...@redhat.com>
> ++
> ++ [BZ #22375]
> ++ * malloc/malloc.c (__libc_malloc): Use checked_request2size
> ++ instead of request2size.
> ++
> + 2017-08-02 Siddhesh Poyarekar <siddh...@sourceware.org>
> +
> + * sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S
> +diff --git a/malloc/malloc.c b/malloc/malloc.c
> +index 79f0e9e..0c9e074 100644
> +--- a/malloc/malloc.c
> ++++ b/malloc/malloc.c
> +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
> + return (*hook)(bytes, RETURN_ADDRESS (0));
> + #if USE_TCACHE
> + /* int_free also calls request2size, be careful to not pad twice. */
> +- size_t tbytes = request2size (bytes);
> ++ size_t tbytes;
> ++ checked_request2size (bytes, tbytes);
> + size_t tc_idx = csize2tidx (tbytes);
> +
> + MAYBE_INIT_TCACHE ();
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.26.bb
> b/meta/recipes-core/glibc/glibc_2.26.bb
> index 135ec4f..d314316 100644
> --- a/meta/recipes-core/glibc/glibc_2.26.bb
> +++ b/meta/recipes-core/glibc/glibc_2.26.bb
> @@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>
> file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
> file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
> file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
> +
> file://0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch\
> "
>
> NATIVESDKFIXES ?= ""
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
