[V3][PATCH] glibc: Security Fix CVE-2017-17426

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [V3][PATCH] glibc: Security Fix CVE-2017-17426
@ 2018-01-22  0:13 Armin Kuster
  2018-01-22  0:32 ` ✗ patchtest: failure for glibc: Security Fix CVE-2017-17426 (rev2) Patchwork
  0 siblings, 1 reply; 2+ messages in thread
From: Armin Kuster @ 2018-01-22  0:13 UTC (permalink / raw)
  To: openembedded-core, akuster

From: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>

Affects glibc < 2.27 including current master
hash 77f921dac17c5fa99bd9e926d926c327982895f7

Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>

[v2]
Rebased on new master

[v3]
Fix typo in patch status

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 53 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2017-17426.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
new file mode 100644
index 0000000..bfa58bc
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
@@ -0,0 +1,53 @@
+From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Thu, 30 Nov 2017 13:31:45 +0100
+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
+ #22375]
+
+When the per-thread cache is enabled, __libc_malloc uses request2size (which
+does not perform an overflow check) to calculate the chunk size from the
+requested allocation size. This leads to an integer overflow causing malloc
+to incorrectly return the last successfully allocated block when called with
+a very large size argument (close to SIZE_MAX).
+
+This commit uses checked_request2size instead, removing the overflow.
+
+Upstream-Status: Backport
+CVE: CVE-2017-17426
+Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
+Rebase on new master
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog       | 6 ++++++
+ malloc/malloc.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+Index: git/malloc/malloc.c
+===================================================================
+--- git.orig/malloc/malloc.c
++++ git/malloc/malloc.c
+@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
+     return (*hook)(bytes, RETURN_ADDRESS (0));
+ #if USE_TCACHE
+   /* int_free also calls request2size, be careful to not pad twice.  */
+-  size_t tbytes = request2size (bytes);
++  size_t tbytes;
++  checked_request2size (bytes, tbytes);
+   size_t tc_idx = csize2tidx (tbytes);
+ 
+   MAYBE_INIT_TCACHE ();
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,9 @@
++2017-11-30  Arjun Shankar  <arjun@redhat.com>
++
++       [BZ #22375]
++       * malloc/malloc.c (__libc_malloc): Use checked_request2size
++       instead of request2size.
++
+ 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+            Dmitry V. Levin  <ldv@altlinux.org>
+ 
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 456ce12..ff3197b 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
            file://CVE-2017-15671.patch \
            file://CVE-2017-16997.patch \
+           file://CVE-2017-17426.patch \
 "
 
 NATIVESDKFIXES ?= ""
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* ✗ patchtest: failure for glibc: Security Fix CVE-2017-17426 (rev2)
  2018-01-22  0:13 [V3][PATCH] glibc: Security Fix CVE-2017-17426 Armin Kuster
@ 2018-01-22  0:32 ` Patchwork
  0 siblings, 0 replies; 2+ messages in thread
From: Patchwork @ 2018-01-22  0:32 UTC (permalink / raw)
  To: Armin Kuster; +Cc: openembedded-core

== Series Details ==

Series: glibc: Security Fix CVE-2017-17426 (rev2)
Revision: 2
URL   : https://patchwork.openembedded.org/series/10641/
State : failure

== Summary ==

Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:

* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 3328211afd)

If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-01-22  0:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-22  0:13 [V3][PATCH] glibc: Security Fix CVE-2017-17426 Armin Kuster
2018-01-22  0:32 ` ✗ patchtest: failure for glibc: Security Fix CVE-2017-17426 (rev2) Patchwork

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox