slackware-current/source/l/glibc/glibc.CVE-2013-4332.diff

From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Wed, 11 Sep 2013
Subject: CVE-2013-4332
 
malloc: Check for integer overflow in pvalloc, valloc, and memalign.

A large bytes parameter to pvalloc, valloc, or memalign could cause
an integer overflow and corrupt allocator internals. Check the
overflow does not occur before continuing with the allocation.

Note: This is a backport to glibc 2.17 of the following three commits:
    * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a
    * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef
    * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d
---

malloc.c |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t
   /* Otherwise, ensure that it is at least a minimum chunk size */
   if (alignment <  MINSIZE) alignment = MINSIZE;
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - alignment - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   arena_get(ar_ptr, bytes + alignment + MINSIZE);
   if(!ar_ptr)
     return 0;
@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes)
 
   size_t pagesz = GLRO(dl_pagesize);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
 					const __malloc_ptr_t)) =
     force_reg (__memalign_hook);
@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes)
   size_t page_mask = GLRO(dl_pagesize) - 1;
   size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
 
+  /* Check for overflow.  */
+  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
+    {
+      __set_errno (ENOMEM);
+      return 0;
+    }
+
   __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
 					const __malloc_ptr_t)) =
     force_reg (__memalign_hook);
Slackware 14.1 Mon Nov 4 17:08:47 UTC 2013 Slackware 14.1 x86_64 stable is released! It's been another interesting release cycle here at Slackware bringing new features like support for UEFI machines, updated compilers and development tools, the switch from MySQL to MariaDB, and many more improvements throughout the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality. The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware project by picking up a copy from store.slackware.com. We're taking pre-orders now, and offer a discount if you sign up for a subscription. Have fun! :-) 2013-11-04 17:08:47 +00:00			`From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001`
			`From: mancha <mancha1@hush.com>`
			`Date: Wed, 11 Sep 2013`
			`Subject: CVE-2013-4332`

			`malloc: Check for integer overflow in pvalloc, valloc, and memalign.`

			`A large bytes parameter to pvalloc, valloc, or memalign could cause`
			`an integer overflow and corrupt allocator internals. Check the`
			`overflow does not occur before continuing with the allocation.`

			`Note: This is a backport to glibc 2.17 of the following three commits:`
			`* https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a`
			`* https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef`
			`* https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d`
			`---`

			`malloc.c \| 21 +++++++++++++++++++++`
			`1 file changed, 21 insertions(+)`

			`--- a/malloc/malloc.c`
			`+++ b/malloc/malloc.c`
			`@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t`
			`/* Otherwise, ensure that it is at least a minimum chunk size */`
			`if (alignment < MINSIZE) alignment = MINSIZE;`

			`+ /* Check for overflow. */`
			`+ if (bytes > SIZE_MAX - alignment - MINSIZE)`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return 0;`
			`+ }`
			`+`
			`arena_get(ar_ptr, bytes + alignment + MINSIZE);`
			`if(!ar_ptr)`
			`return 0;`
			`@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes)`

			`size_t pagesz = GLRO(dl_pagesize);`

			`+ /* Check for overflow. */`
			`+ if (bytes > SIZE_MAX - pagesz - MINSIZE)`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return 0;`
			`+ }`
			`+`
			`__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,`
			`const __malloc_ptr_t)) =`
			`force_reg (__memalign_hook);`
			`@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes)`
			`size_t page_mask = GLRO(dl_pagesize) - 1;`
			`size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);`

			`+ /* Check for overflow. */`
			`+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)`
			`+ {`
			`+ __set_errno (ENOMEM);`
			`+ return 0;`
			`+ }`
			`+`
			`__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,`
			`const __malloc_ptr_t)) =`
			`force_reg (__memalign_hook);`