Re: Fix for CVE-2012-3509 libiberty: integer overflow, leading to heap-buffer overflow

Mon, 03 Feb 2014 13:50:22 -0800 

Which license is this patch under?

On 3 February 2014 13:26:41 GMT+00:00, Sebastian Trahm <ba...@schleifi.com> 
wrote:
>Hello,
>
>the following diff addresses CVE-2012-3509
>(libiberty: integer overflow, leading to heap-buffer overflow).
>
>
>Index: include/objalloc.h
>===================================================================
>RCS file: /cvs/src/gnu/lib/libiberty/include/objalloc.h,v
>retrieving revision 1.1.1.3
>diff -u -p -u -p -r1.1.1.3 objalloc.h
>--- include/objalloc.h 27 May 2008 18:46:00 -0000      1.1.1.3
>+++ include/objalloc.h 3 Feb 2014 13:24:24 -0000
>@@ -91,7 +91,7 @@ extern void *_objalloc_alloc (struct obj
>      if (__len == 0)                                                  \
>        __len = 1;                                                     \
>      __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);    \
>-     (__len <= __o->current_space                                     \
>+     (__len != 0 && __len <= __o->current_space                       \
>       ? (__o->current_ptr += __len,                                   \
>        __o->current_space -= __len,                                   \
>        (void *) (__o->current_ptr - __len))                           \
>Index: src/objalloc.c
>===================================================================
>RCS file: /cvs/src/gnu/lib/libiberty/src/objalloc.c,v
>retrieving revision 1.4
>diff -u -p -u -p -r1.4 objalloc.c
>--- src/objalloc.c     27 May 2008 18:52:44 -0000      1.4
>+++ src/objalloc.c     3 Feb 2014 13:24:24 -0000
>@@ -112,14 +112,21 @@ objalloc_create (void)
> /* Allocate space from an objalloc structure.  */
> 
> PTR
>-_objalloc_alloc (struct objalloc *o, unsigned long len)
>+_objalloc_alloc (struct objalloc *o, unsigned long original_len)
> {
>+  unsigned long len = original_len;
>+
>   /* We avoid confusion from zero sized objects by always allocating
>      at least 1 byte.  */
>   if (len == 0)
>     len = 1;
> 
>   len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
>+
>+  /* CVE-2012-3509: Check for overflow in the alignment operation
>above
>+   * and then malloc argument below. */
>+  if (len + CHUNK_HEADER_SIZE < original_len)
>+    return NULL;
> 
>   if (len <= o->current_space)
>     {
>
>
>
>
>No functional changes, therefore no bump of "shlib_version".
>
>Cheers,
>
>Sebastian
>
>[1] http://www.openwall.com/lists/oss-security/2012/08/29/3
>[2] http://gcc.gnu.org/viewcvs/gcc?view=revision&revision=191413

Reply via email to