This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/22774] Integer overflow in _int_malloc (CVE-2018-6551)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 08 Feb 2018 15:33:51 +0000
- Subject: [Bug malloc/22774] Integer overflow in _int_malloc (CVE-2018-6551)
- Auto-submitted: auto-generated
- References: <bug-22774-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22774
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.26/master has been updated
via 01ba6f50762ad4fcd156a53ef7dbe671b64d3a5c (commit)
from bbabb868cd248763373d0db763bacd84ce27ede8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=01ba6f50762ad4fcd156a53ef7dbe671b64d3a5c
commit 01ba6f50762ad4fcd156a53ef7dbe671b64d3a5c
Author: Arjun Shankar <arjun@redhat.com>
Date: Thu Jan 18 16:47:06 2018 +0000
Fix integer overflows in internal memalign and malloc [BZ #22343] [BZ
#22774]
When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
and a requested size close to SIZE_MAX, it falls back to malloc code
(because the alignment of a block returned by malloc is sufficient to
satisfy the call). In this case, an integer overflow in _int_malloc leads
to posix_memalign incorrectly returning successfully.
Upon fixing this and writing a somewhat thorough regression test, it was
discovered that when posix_memalign is called with an alignment larger than
MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
close to SIZE_MAX, a different integer overflow in _int_memalign leads to
posix_memalign incorrectly returning successfully.
Both integer overflows affect other memory allocation functions that use
_int_malloc (one affected malloc in x86) or _int_memalign as well.
This commit fixes both integer overflows. In addition to this, it adds a
regression test to guard against false successful allocations by the
following memory allocation functions when called with too-large allocation
sizes and, where relevant, various valid alignments:
malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
aligned_alloc, valloc, and pvalloc.
(cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 13 ++
NEWS | 8 ++
malloc/Makefile | 1 +
malloc/malloc.c | 30 ++++--
malloc/tst-malloc-too-large.c | 253 +++++++++++++++++++++++++++++++++++++++++
5 files changed, 297 insertions(+), 8 deletions(-)
create mode 100644 malloc/tst-malloc-too-large.c
--
You are receiving this mail because:
You are on the CC list for the bug.