Change-Id: I4155bf68a1ff3558f00ce913c4116e1f41ce6208
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4572
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,35 @@ |
0 |
+From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Arjun Shankar <arjun@redhat.com> |
|
2 |
+Date: Thu, 30 Nov 2017 13:31:45 +0100 |
|
3 |
+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ |
|
4 |
+ #22375] |
|
5 |
+ |
|
6 |
+When the per-thread cache is enabled, __libc_malloc uses request2size (which |
|
7 |
+does not perform an overflow check) to calculate the chunk size from the |
|
8 |
+requested allocation size. This leads to an integer overflow causing malloc |
|
9 |
+to incorrectly return the last successfully allocated block when called with |
|
10 |
+a very large size argument (close to SIZE_MAX). |
|
11 |
+ |
|
12 |
+This commit uses checked_request2size instead, removing the overflow. |
|
13 |
+--- |
|
14 |
+ ChangeLog | 6 ++++++ |
|
15 |
+ malloc/malloc.c | 3 ++- |
|
16 |
+ 2 files changed, 8 insertions(+), 1 deletion(-) |
|
17 |
+ |
|
18 |
+diff --git a/malloc/malloc.c b/malloc/malloc.c |
|
19 |
+index 79f0e9e..0c9e074 100644 |
|
20 |
+--- a/malloc/malloc.c |
|
21 |
+@@ -3031,7 +3031,8 @@ __libc_malloc (size_t bytes) |
|
22 |
+ return (*hook)(bytes, RETURN_ADDRESS (0)); |
|
23 |
+ #if USE_TCACHE |
|
24 |
+ /* int_free also calls request2size, be careful to not pad twice. */ |
|
25 |
+- size_t tbytes = request2size (bytes); |
|
26 |
++ size_t tbytes; |
|
27 |
++ checked_request2size (bytes, tbytes); |
|
28 |
+ size_t tc_idx = csize2tidx (tbytes); |
|
29 |
+ |
|
30 |
+ MAYBE_INIT_TCACHE (); |
|
31 |
+-- |
|
32 |
+2.9.3 |
|
33 |
+ |
... | ... |
@@ -1,26 +1,27 @@ |
1 | 1 |
%global security_hardening nonow |
2 | 2 |
%define glibc_target_cpu %{_build} |
3 | 3 |
|
4 |
-Summary: Main C library |
|
5 |
-Name: glibc |
|
6 |
-Version: 2.26 |
|
7 |
-Release: 7%{?dist} |
|
8 |
-License: LGPLv2+ |
|
9 |
-URL: http://www.gnu.org/software/libc |
|
10 |
-Group: Applications/System |
|
11 |
-Vendor: VMware, Inc. |
|
12 |
-Distribution: Photon |
|
13 |
-Source0: http://ftp.gnu.org/gnu/glibc/%{name}-%{version}.tar.xz |
|
14 |
-%define sha1 glibc=7cf7d521f5ebece5dd27cfb3ca5e5f6b84da4bfd |
|
15 |
-Source1: locale-gen.sh |
|
16 |
-Source2: locale-gen.conf |
|
17 |
-Patch0: http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.25-fhs-1.patch |
|
18 |
-Patch1: glibc-2.24-bindrsvport-blacklist.patch |
|
19 |
-Patch2: 0001-Fix-range-check-in-do_tunable_update_val.patch |
|
20 |
-Patch3: 0002-malloc-arena-fix.patch |
|
21 |
-Patch4: glibc-fix-CVE-2017-15670.patch |
|
22 |
-Patch5: glibc-fix-CVE-2017-15804.patch |
|
23 |
-Provides: rtld(GNU_HASH) |
|
4 |
+Summary: Main C library |
|
5 |
+Name: glibc |
|
6 |
+Version: 2.26 |
|
7 |
+Release: 8%{?dist} |
|
8 |
+License: LGPLv2+ |
|
9 |
+URL: http://www.gnu.org/software/libc |
|
10 |
+Group: Applications/System |
|
11 |
+Vendor: VMware, Inc. |
|
12 |
+Distribution: Photon |
|
13 |
+Source0: http://ftp.gnu.org/gnu/glibc/%{name}-%{version}.tar.xz |
|
14 |
+%define sha1 glibc=7cf7d521f5ebece5dd27cfb3ca5e5f6b84da4bfd |
|
15 |
+Source1: locale-gen.sh |
|
16 |
+Source2: locale-gen.conf |
|
17 |
+Patch0: http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.25-fhs-1.patch |
|
18 |
+Patch1: glibc-2.24-bindrsvport-blacklist.patch |
|
19 |
+Patch2: 0001-Fix-range-check-in-do_tunable_update_val.patch |
|
20 |
+Patch3: 0002-malloc-arena-fix.patch |
|
21 |
+Patch4: glibc-fix-CVE-2017-15670.patch |
|
22 |
+Patch5: glibc-fix-CVE-2017-15804.patch |
|
23 |
+Patch6: glibc-fix-CVE-2017-17426.patch |
|
24 |
+Provides: rtld(GNU_HASH) |
|
24 | 25 |
Requires: filesystem |
25 | 26 |
%description |
26 | 27 |
This library provides the basic routines for allocating memory, |
... | ... |
@@ -79,6 +80,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile |
79 | 79 |
%patch3 -p1 |
80 | 80 |
%patch4 -p1 |
81 | 81 |
%patch5 -p1 |
82 |
+%patch6 -p1 |
|
82 | 83 |
install -vdm 755 %{_builddir}/%{name}-build |
83 | 84 |
# do not try to explicitly provide GLIBC_PRIVATE versioned libraries |
84 | 85 |
%define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh |
... | ... |
@@ -110,55 +112,55 @@ chmod +x find_requires.sh |
110 | 110 |
%build |
111 | 111 |
cd %{_builddir}/%{name}-build |
112 | 112 |
../%{name}-%{version}/configure \ |
113 |
- --prefix=%{_prefix} \ |
|
114 |
- --disable-profile \ |
|
115 |
- --enable-kernel=2.6.32 \ |
|
116 |
- --enable-obsolete-rpc \ |
|
117 |
- --enable-obsolete-nsl \ |
|
118 |
- --enable-bind-now \ |
|
119 |
- --disable-experimental-malloc \ |
|
120 |
- --disable-silent-rules |
|
113 |
+ --prefix=%{_prefix} \ |
|
114 |
+ --disable-profile \ |
|
115 |
+ --enable-kernel=2.6.32 \ |
|
116 |
+ --enable-obsolete-rpc \ |
|
117 |
+ --enable-obsolete-nsl \ |
|
118 |
+ --enable-bind-now \ |
|
119 |
+ --disable-experimental-malloc \ |
|
120 |
+ --disable-silent-rules |
|
121 | 121 |
|
122 | 122 |
# Sometimes we have false "out of memory" make error |
123 | 123 |
# just rerun/continue make to workaroung it. |
124 | 124 |
make %{?_smp_mflags} || make %{?_smp_mflags} || make %{?_smp_mflags} |
125 | 125 |
|
126 | 126 |
%install |
127 |
-# Do not remove static libs |
|
127 |
+# Do not remove static libs |
|
128 | 128 |
pushd %{_builddir}/glibc-build |
129 |
-# Create directories |
|
129 |
+# Create directories |
|
130 | 130 |
make install_root=%{buildroot} install |
131 | 131 |
install -vdm 755 %{buildroot}%{_sysconfdir}/ld.so.conf.d |
132 | 132 |
install -vdm 755 %{buildroot}/var/cache/nscd |
133 | 133 |
install -vdm 755 %{buildroot}%{_libdir}/locale |
134 | 134 |
cp -v ../%{name}-%{version}/nscd/nscd.conf %{buildroot}%{_sysconfdir}/nscd.conf |
135 |
-# Install locale generation script and config file |
|
135 |
+# Install locale generation script and config file |
|
136 | 136 |
cp -v %{SOURCE2} %{buildroot}%{_sysconfdir} |
137 | 137 |
cp -v %{SOURCE1} %{buildroot}/sbin |
138 |
-# Remove unwanted cruft |
|
138 |
+# Remove unwanted cruft |
|
139 | 139 |
rm -rf %{buildroot}%{_infodir} |
140 |
-# Install configuration files |
|
140 |
+# Install configuration files |
|
141 | 141 |
cat > %{buildroot}%{_sysconfdir}/nsswitch.conf <<- "EOF" |
142 |
-# Begin /etc/nsswitch.conf |
|
142 |
+# Begin /etc/nsswitch.conf |
|
143 | 143 |
|
144 |
- passwd: files |
|
145 |
- group: files |
|
146 |
- shadow: files |
|
144 |
+ passwd: files |
|
145 |
+ group: files |
|
146 |
+ shadow: files |
|
147 | 147 |
|
148 |
- hosts: files dns |
|
149 |
- networks: files |
|
148 |
+ hosts: files dns |
|
149 |
+ networks: files |
|
150 | 150 |
|
151 |
- protocols: files |
|
152 |
- services: files |
|
153 |
- ethers: files |
|
154 |
- rpc: files |
|
155 |
-# End /etc/nsswitch.conf |
|
151 |
+ protocols: files |
|
152 |
+ services: files |
|
153 |
+ ethers: files |
|
154 |
+ rpc: files |
|
155 |
+# End /etc/nsswitch.conf |
|
156 | 156 |
EOF |
157 | 157 |
cat > %{buildroot}%{_sysconfdir}/ld.so.conf <<- "EOF" |
158 |
-# Begin /etc/ld.so.conf |
|
159 |
- /usr/local/lib |
|
160 |
- /opt/lib |
|
161 |
- include /etc/ld.so.conf.d/*.conf |
|
158 |
+# Begin /etc/ld.so.conf |
|
159 |
+ /usr/local/lib |
|
160 |
+ /opt/lib |
|
161 |
+ include /etc/ld.so.conf.d/*.conf |
|
162 | 162 |
EOF |
163 | 163 |
popd |
164 | 164 |
%find_lang %{name} --all-name |
... | ... |
@@ -283,6 +285,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: |
283 | 283 |
|
284 | 284 |
|
285 | 285 |
%changelog |
286 |
+* Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-8 |
|
287 |
+- Fix CVE-2017-17426 |
|
286 | 288 |
* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-7 |
287 | 289 |
- Aarch64 support |
288 | 290 |
* Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-6 |