[Bug libc/19651] New: Missing sanity check for malloc() in glibc-2.22 plus possible NULL pointer dereference (CWE-476)

["wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=19651

            Bug ID: 19651
           Summary: Missing sanity check for malloc() in glibc-2.22 plus
                    possible NULL pointer dereference (CWE-476)
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: wp02855 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 8994
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8994&action=edit
patch file for above bug report (diff -u)

Hello All,

        In reviewing source code in glibc-2.22, in sub-directory 'elf',
file 'tlsdeschtab.h', there is a call to malloc() which is not
checked for a return value of NULL, indicating failure.  Additionally,
members of the pointer 'td' are used for return values in other
function calls, which could result in unexpected behavior.

The patch file below adds the test for a return value for NULL
and takes (I hope) the appropriate action, if malloc() fails:

--- tlsdeschtab.h.orig  2016-02-16 15:35:30.088150404 -0800
+++ tlsdeschtab.h       2016-02-16 15:37:14.502154200 -0800
@@ -118,6 +118,11 @@
     }

   *entry = td = malloc (sizeof (struct tlsdesc_dynamic_arg));
+  if (! entry) /*  check return value from malloc()  */
+    {
+      __rtld_lock_unlock_recursive (GL(dl_load_lock));
+      return 0;
+    }
   /* This may be higher than the map's generation, but it doesn't
      matter much.  Worst case, we'll have one extra DTV update per
      thread.  */

-- 
You are receiving this mail because:
You are on the CC list for the bug.