2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
new file mode 100644
index 0000000000..bfa58bc1d6
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
@@ -0,0 +1,53 @@
+From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Thu, 30 Nov 2017 13:31:45 +0100
+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
+ #22375]
+When the per-thread cache is enabled, __libc_malloc uses request2size (which
+does not perform an overflow check) to calculate the chunk size from the
+requested allocation size. This leads to an integer overflow causing malloc
+to incorrectly return the last successfully allocated block when called with
+a very large size argument (close to SIZE_MAX).
+This commit uses checked_request2size instead, removing the overflow.
+Upstream-Status: Backport
+CVE: CVE-2017-17426
+Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
+Rebase on new master
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog       | 6 ++++++
+ malloc/malloc.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+Index: git/malloc/malloc.c
+===================================================================
+--- git.orig/malloc/malloc.c
+++ git/malloc/malloc.c
+@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
+     return (*hook)(bytes, RETURN_ADDRESS (0));
+ #if USE_TCACHE
+   /* int_free also calls request2size, be careful to not pad twice.  */
+-  size_t tbytes = request2size (bytes);
+  size_t tbytes;
+  checked_request2size (bytes, tbytes);
+   size_t tc_idx = csize2tidx (tbytes);
+ 
+   MAYBE_INIT_TCACHE ();
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,9 @@
+2017-11-30  Arjun Shankar  <arjun@redhat.com>
+
+       [BZ #22375]
+       * malloc/malloc.c (__libc_malloc): Use checked_request2size
+       instead of request2size.
+
+ 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+            Dmitry V. Levin  <ldv@altlinux.org>
+ 
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 456ce12d76..ff3197bb23 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
           file://CVE-2017-15671.patch \
           file://CVE-2017-16997.patch \
+           file://CVE-2017-17426.patch \
 "
 NATIVESDKFIXES ?= ""

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch new file mode 100644 index 0000000000..bfa58bc1d6 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
@@ -0,0 +1,53 @@
		1	From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
		2	From: Arjun Shankar <arjun@redhat.com>
		3	Date: Thu, 30 Nov 2017 13:31:45 +0100
		4	Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
		5	#22375]
		6
		7	When the per-thread cache is enabled, __libc_malloc uses request2size (which
		8	does not perform an overflow check) to calculate the chunk size from the
		9	requested allocation size. This leads to an integer overflow causing malloc
		10	to incorrectly return the last successfully allocated block when called with
		11	a very large size argument (close to SIZE_MAX).
		12
		13	This commit uses checked_request2size instead, removing the overflow.
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2017-17426
		17	Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
		18	Rebase on new master
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	ChangeLog \| 6 ++++++
		23	malloc/malloc.c \| 3 ++-
		24	2 files changed, 8 insertions(+), 1 deletion(-)
		25
		26	Index: git/malloc/malloc.c
		27	===================================================================
		28	--- git.orig/malloc/malloc.c
		29	+++ git/malloc/malloc.c
		30	@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
		31	return (*hook)(bytes, RETURN_ADDRESS (0));
		32	#if USE_TCACHE
		33	/* int_free also calls request2size, be careful to not pad twice. */
		34	- size_t tbytes = request2size (bytes);
		35	+ size_t tbytes;
		36	+ checked_request2size (bytes, tbytes);
		37	size_t tc_idx = csize2tidx (tbytes);
		38
		39	MAYBE_INIT_TCACHE ();
		40	Index: git/ChangeLog
		41	===================================================================
		42	--- git.orig/ChangeLog
		43	+++ git/ChangeLog
		44	@@ -1,3 +1,9 @@
		45	+2017-11-30 Arjun Shankar <arjun@redhat.com>
		46	+
		47	+ [BZ #22375]
		48	+ * malloc/malloc.c (__libc_malloc): Use checked_request2size
		49	+ instead of request2size.
		50	+
		51	2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
		52	Dmitry V. Levin <ldv@altlinux.org>
		53


diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 456ce12d76..ff3197bb23 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -45,6 +45,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \	45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
46	file://CVE-2017-15671.patch \	46	file://CVE-2017-15671.patch \
47	file://CVE-2017-16997.patch \	47	file://CVE-2017-16997.patch \
		48	file://CVE-2017-17426.patch \
48	"	49	"
49		50
50	NATIVESDKFIXES ?= ""	51	NATIVESDKFIXES ?= ""