summaryrefslogtreecommitdiff
path: root/source/l/glibc/glibc.CVE-2013-4332.diff
blob: 9f7f5886c2ae44712d94bd06f9cde6c3c85001a6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Wed, 11 Sep 2013
Subject: CVE-2013-4332
 
malloc: Check for integer overflow in pvalloc, valloc, and memalign.

A large bytes parameter to pvalloc, valloc, or memalign could cause
an integer overflow and corrupt allocator internals. Check the
overflow does not occur before continuing with the allocation.

Note: This is a backport to glibc 2.17 of the following three commits:
    * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a
    * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef
    * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d
---

malloc.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   arena_get(ar_ptr, bytes + alignment + MINSIZE);
   if(!ar_ptr)
     return 0;
@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes)
 
   size_t pagesz = GLRO(dl_pagesize);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
 					const __malloc_ptr_t)) =
     force_reg (__memalign_hook);
@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes)
   size_t page_mask = GLRO(dl_pagesize) - 1;
   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
 					const __malloc_ptr_t)) =
     force_reg (__memalign_hook);