[PATCH] glibc:CVE-2017-17426

[PATCH] glibc:CVE-2017-17426

[Huang Qiyu]

Fix the CVE-2017-17426.

Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
---
 ...-overflow-in-malloc-when-tcache-is-enable.patch | 52 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch

diff --git a/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
new file mode 100644
index 0000000..623bed7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
@@ -0,0 +1,52 @@
+From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Thu, 30 Nov 2017 13:31:45 +0100
+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
+ #22375]
+
+When the per-thread cache is enabled, __libc_malloc uses request2size (which
+does not perform an overflow check) to calculate the chunk size from the
+requested allocation size. This leads to an integer overflow causing malloc
+to incorrectly return the last successfully allocated block when called with
+a very large size argument (close to SIZE_MAX).
+
+This commit uses checked_request2size instead, removing the overflow.
+
+Upstream-status: Backport
+---
+ ChangeLog       | 6 ++++++
+ malloc/malloc.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index b55ed22..888f9fb 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,9 @@
++2017-11-30  Arjun Shankar  <arjun@redhat.com>
++
++	[BZ #22375]
++	* malloc/malloc.c (__libc_malloc): Use checked_request2size
++	instead of request2size.
++
+ 2017-08-02  Siddhesh Poyarekar  <siddhesh@sourceware.org>
+ 
+ 	* sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 79f0e9e..0c9e074 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
+     return (*hook)(bytes, RETURN_ADDRESS (0));
+ #if USE_TCACHE
+   /* int_free also calls request2size, be careful to not pad twice.  */
+-  size_t tbytes = request2size (bytes);
++  size_t tbytes;
++  checked_request2size (bytes, tbytes);
+   size_t tc_idx = csize2tidx (tbytes);
+ 
+   MAYBE_INIT_TCACHE ();
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 135ec4f..36b2004 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
            file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
            file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
+           file://0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch \
 "
 
 NATIVESDKFIXES ?= ""
-- 
2.7.4

✗ patchtest: failure for glibc:CVE-2017-17426

[Patchwork]

== Series Details ==

Series: glibc:CVE-2017-17426
Revision: 1
URL   : https://patchwork.openembedded.org/series/10268/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series cannot be parsed correctly due to malformed diff lines [test_mbox_format] 
  Suggested fix    Create the series again using git-format-patch and ensure it can be applied using git am
  Diff line        diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb


* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  master (currently at 978472c586)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [PATCH] glibc:CVE-2017-17426

[Huang, Qiyu]

ping


> -----Original Message-----
> From: Huang, Qiyu 
> Sent: Wednesday, December 20, 2017 4:11 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Huang, Qiyu <huangqy.fnst@cn.fujitsu.com>
> Subject: [OE-core][PATCH] glibc:CVE-2017-17426
> 
> Fix the CVE-2017-17426.
> 
> Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
> ---
>  ...-overflow-in-malloc-when-tcache-is-enable.patch | 52
> ++++++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
>  2 files changed, 53 insertions(+)
>  create mode 100644
> meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcache
> -is-enable.patch
> 
> diff --git
> a/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcac
> he-is-enable.patch
> b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-when-tcac
> he-is-enable.patch
> new file mode 100644
> index 0000000..623bed7
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-
> +++ when-tcache-is-enable.patch
> @@ -0,0 +1,52 @@
> +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00
> 2001
> +From: Arjun Shankar <arjun@redhat.com>
> +Date: Thu, 30 Nov 2017 13:31:45 +0100
> +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled
> +[BZ  #22375]
> +
> +When the per-thread cache is enabled, __libc_malloc uses request2size
> +(which does not perform an overflow check) to calculate the chunk size
> +from the requested allocation size. This leads to an integer overflow
> +causing malloc to incorrectly return the last successfully allocated
> +block when called with a very large size argument (close to SIZE_MAX).
> +
> +This commit uses checked_request2size instead, removing the overflow.
> +
> +Upstream-status: Backport
> +---
> + ChangeLog       | 6 ++++++
> + malloc/malloc.c | 3 ++-
> + 2 files changed, 8 insertions(+), 1 deletion(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index b55ed22..888f9fb 100644
> +--- a/ChangeLog
> ++++ b/ChangeLog
> +@@ -1,3 +1,9 @@
> ++2017-11-30  Arjun Shankar  <arjun@redhat.com>
> ++
> ++	[BZ #22375]
> ++	* malloc/malloc.c (__libc_malloc): Use checked_request2size
> ++	instead of request2size.
> ++
> + 2017-08-02  Siddhesh Poyarekar  <siddhesh@sourceware.org>
> +
> + 	* sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S
> +diff --git a/malloc/malloc.c b/malloc/malloc.c index 79f0e9e..0c9e074
> +100644
> +--- a/malloc/malloc.c
> ++++ b/malloc/malloc.c
> +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
> +     return (*hook)(bytes, RETURN_ADDRESS (0));  #if USE_TCACHE
> +   /* int_free also calls request2size, be careful to not pad twice.
> +*/
> +-  size_t tbytes = request2size (bytes);
> ++  size_t tbytes;
> ++  checked_request2size (bytes, tbytes);
> +   size_t tc_idx = csize2tidx (tbytes);
> +
> +   MAYBE_INIT_TCACHE ();
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.26.bb
> b/meta/recipes-core/glibc/glibc_2.26.bb
> index 135ec4f..36b2004 100644
> --- a/meta/recipes-core/glibc/glibc_2.26.bb
> +++ b/meta/recipes-core/glibc/glibc_2.26.bb
> @@ -43,6 +43,7 @@ SRC_URI =
> "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> 
> file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
>             file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
>             file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
> +
> + file://0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
> + \
>  "
> 
>  NATIVESDKFIXES ?= ""
> --
> 2.7.4

Re: [PATCH] glibc:CVE-2017-17426

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 4406 bytes --]

This needs rebasing to master, and I suspect your email servers are
corrupting your mails as I often have to go and fix up your patches which
have had long lines wrapped:

Applying: glibc:CVE-2017-17426
error: corrupt patch at line 64

Ross

On 17 January 2018 at 02:46, Huang, Qiyu <huangqy.fnst@cn.fujitsu.com>
wrote:

> ping
>
>
> > -----Original Message-----
> > From: Huang, Qiyu
> > Sent: Wednesday, December 20, 2017 4:11 PM
> > To: openembedded-core@lists.openembedded.org
> > Cc: Huang, Qiyu <huangqy.fnst@cn.fujitsu.com>
> > Subject: [OE-core][PATCH] glibc:CVE-2017-17426
> >
> > Fix the CVE-2017-17426.
> >
> > Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
> > ---
> >  ...-overflow-in-malloc-when-tcache-is-enable.patch | 52
> > ++++++++++++++++++++++
> >  meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
> >  2 files changed, 53 insertions(+)
> >  create mode 100644
> > meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-
> malloc-when-tcache
> > -is-enable.patch
> >
> > diff --git
> > a/meta/recipes-core/glibc/glibc/0029-Fix-integer-
> overflow-in-malloc-when-tcac
> > he-is-enable.patch
> > b/meta/recipes-core/glibc/glibc/0029-Fix-integer-
> overflow-in-malloc-when-tcac
> > he-is-enable.patch
> > new file mode 100644
> > index 0000000..623bed7
> > --- /dev/null
> > +++ b/meta/recipes-core/glibc/glibc/0029-Fix-integer-overflow-in-malloc-
> > +++ when-tcache-is-enable.patch
> > @@ -0,0 +1,52 @@
> > +From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00
> > 2001
> > +From: Arjun Shankar <arjun@redhat.com>
> > +Date: Thu, 30 Nov 2017 13:31:45 +0100
> > +Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled
> > +[BZ  #22375]
> > +
> > +When the per-thread cache is enabled, __libc_malloc uses request2size
> > +(which does not perform an overflow check) to calculate the chunk size
> > +from the requested allocation size. This leads to an integer overflow
> > +causing malloc to incorrectly return the last successfully allocated
> > +block when called with a very large size argument (close to SIZE_MAX).
> > +
> > +This commit uses checked_request2size instead, removing the overflow.
> > +
> > +Upstream-status: Backport
> > +---
> > + ChangeLog       | 6 ++++++
> > + malloc/malloc.c | 3 ++-
> > + 2 files changed, 8 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/ChangeLog b/ChangeLog
> > +index b55ed22..888f9fb 100644
> > +--- a/ChangeLog
> > ++++ b/ChangeLog
> > +@@ -1,3 +1,9 @@
> > ++2017-11-30  Arjun Shankar  <arjun@redhat.com>
> > ++
> > ++    [BZ #22375]
> > ++    * malloc/malloc.c (__libc_malloc): Use checked_request2size
> > ++    instead of request2size.
> > ++
> > + 2017-08-02  Siddhesh Poyarekar  <siddhesh@sourceware.org>
> > +
> > +     * sysdeps/sparc/sparc32/sparcv9/fpu/multiarch/s_llrint.S
> > +diff --git a/malloc/malloc.c b/malloc/malloc.c index 79f0e9e..0c9e074
> > +100644
> > +--- a/malloc/malloc.c
> > ++++ b/malloc/malloc.c
> > +@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
> > +     return (*hook)(bytes, RETURN_ADDRESS (0));  #if USE_TCACHE
> > +   /* int_free also calls request2size, be careful to not pad twice.
> > +*/
> > +-  size_t tbytes = request2size (bytes);
> > ++  size_t tbytes;
> > ++  checked_request2size (bytes, tbytes);
> > +   size_t tc_idx = csize2tidx (tbytes);
> > +
> > +   MAYBE_INIT_TCACHE ();
> > +--
> > +2.7.4
> > +
> > diff --git a/meta/recipes-core/glibc/glibc_2.26.bb
> > b/meta/recipes-core/glibc/glibc_2.26.bb
> > index 135ec4f..36b2004 100644
> > --- a/meta/recipes-core/glibc/glibc_2.26.bb
> > +++ b/meta/recipes-core/glibc/glibc_2.26.bb
> > @@ -43,6 +43,7 @@ SRC_URI =
> > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> >
> > file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
> >             file://0027-glibc-reset-dl-load-write-lock-after-forking.patch
> \
> >             file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
> > +
> > + file://0029-Fix-integer-overflow-in-malloc-when-tcache-is-enable.patch
> > + \
> >  "
> >
> >  NATIVESDKFIXES ?= ""
> > --
> > 2.7.4
>
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 6541 bytes --]

Re: [PATCH] glibc:CVE-2017-17426

[akuster808]

[-- Attachment #1: Type: text/plain, Size: 290 bytes --]


If have rebased this patch to latest master. I will be sending a few
more glibc fixes.

Hope I don't step on anyones toes.

- armin


On 01/19/2018 09:32 AM, Burton, Ross wrote:
> Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com
> <mailto:huangqy.fnst@cn.fujitsu.com>>


[-- Attachment #2: Type: text/html, Size: 773 bytes --]