summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/glibc
diff options
context:
space:
mode:
authorHuang Qiyu <huangqy.fnst@cn.fujitsu.com>2018-01-21 16:13:06 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-01-23 23:43:45 +0000
commit78bdc1b7246c22c8abe9fe51143e7403bc05791f (patch)
tree9161dc0dd619fea2e0c314512487e0c0fe72d3e6 /meta/recipes-core/glibc
parentb1dde7b0311c63dfacbfd701c9b7cb95ae9571a2 (diff)
downloadpoky-78bdc1b7246c22c8abe9fe51143e7403bc05791f.tar.gz
glibc: Security Fix CVE-2017-17426
Affects glibc < 2.27 including current master hash 77f921dac17c5fa99bd9e926d926c327982895f7 (From OE-Core rev: a273d099c3bc73736579b7b6ead2572721f16d2a) Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> [v2] Rebased on new master [v3] Fix typo in patch status Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/glibc')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2017-17426.patch53
-rw-r--r--meta/recipes-core/glibc/glibc_2.26.bb1
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
new file mode 100644
index 0000000000..bfa58bc1d6
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
@@ -0,0 +1,53 @@
1From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
2From: Arjun Shankar <arjun@redhat.com>
3Date: Thu, 30 Nov 2017 13:31:45 +0100
4Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
5 #22375]
6
7When the per-thread cache is enabled, __libc_malloc uses request2size (which
8does not perform an overflow check) to calculate the chunk size from the
9requested allocation size. This leads to an integer overflow causing malloc
10to incorrectly return the last successfully allocated block when called with
11a very large size argument (close to SIZE_MAX).
12
13This commit uses checked_request2size instead, removing the overflow.
14
15Upstream-Status: Backport
16CVE: CVE-2017-17426
17Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
18Rebase on new master
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 ChangeLog | 6 ++++++
23 malloc/malloc.c | 3 ++-
24 2 files changed, 8 insertions(+), 1 deletion(-)
25
26Index: git/malloc/malloc.c
27===================================================================
28--- git.orig/malloc/malloc.c
29+++ git/malloc/malloc.c
30@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
31 return (*hook)(bytes, RETURN_ADDRESS (0));
32 #if USE_TCACHE
33 /* int_free also calls request2size, be careful to not pad twice. */
34- size_t tbytes = request2size (bytes);
35+ size_t tbytes;
36+ checked_request2size (bytes, tbytes);
37 size_t tc_idx = csize2tidx (tbytes);
38
39 MAYBE_INIT_TCACHE ();
40Index: git/ChangeLog
41===================================================================
42--- git.orig/ChangeLog
43+++ git/ChangeLog
44@@ -1,3 +1,9 @@
45+2017-11-30 Arjun Shankar <arjun@redhat.com>
46+
47+ [BZ #22375]
48+ * malloc/malloc.c (__libc_malloc): Use checked_request2size
49+ instead of request2size.
50+
51 2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
52 Dmitry V. Levin <ldv@altlinux.org>
53
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 456ce12d76..ff3197bb23 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
45 file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ 45 file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
46 file://CVE-2017-15671.patch \ 46 file://CVE-2017-15671.patch \
47 file://CVE-2017-16997.patch \ 47 file://CVE-2017-16997.patch \
48 file://CVE-2017-17426.patch \
48" 49"
49 50
50NATIVESDKFIXES ?= "" 51NATIVESDKFIXES ?= ""