This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug malloc/22774] Integer overflow in _int_malloc (CVE-2018-6551)


https://sourceware.org/bugzilla/show_bug.cgi?id=22774

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  01ba6f50762ad4fcd156a53ef7dbe671b64d3a5c (commit)
      from  bbabb868cd248763373d0db763bacd84ce27ede8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=01ba6f50762ad4fcd156a53ef7dbe671b64d3a5c

commit 01ba6f50762ad4fcd156a53ef7dbe671b64d3a5c
Author: Arjun Shankar <arjun@redhat.com>
Date:   Thu Jan 18 16:47:06 2018 +0000

    Fix integer overflows in internal memalign and malloc [BZ #22343] [BZ
#22774]

    When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
    and a requested size close to SIZE_MAX, it falls back to malloc code
    (because the alignment of a block returned by malloc is sufficient to
    satisfy the call).  In this case, an integer overflow in _int_malloc leads
    to posix_memalign incorrectly returning successfully.

    Upon fixing this and writing a somewhat thorough regression test, it was
    discovered that when posix_memalign is called with an alignment larger than
    MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
    close to SIZE_MAX, a different integer overflow in _int_memalign leads to
    posix_memalign incorrectly returning successfully.

    Both integer overflows affect other memory allocation functions that use
    _int_malloc (one affected malloc in x86) or _int_memalign as well.

    This commit fixes both integer overflows.  In addition to this, it adds a
    regression test to guard against false successful allocations by the
    following memory allocation functions when called with too-large allocation
    sizes and, where relevant, various valid alignments:
    malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
    aligned_alloc, valloc, and pvalloc.

    (cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                     |   13 ++
 NEWS                          |    8 ++
 malloc/Makefile               |    1 +
 malloc/malloc.c               |   30 ++++--
 malloc/tst-malloc-too-large.c |  253 +++++++++++++++++++++++++++++++++++++++++
 5 files changed, 297 insertions(+), 8 deletions(-)
 create mode 100644 malloc/tst-malloc-too-large.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]