new file mode 100644

@@ -0,0 +1,35 @@

+From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001

+From: Arjun Shankar <arjun@redhat.com>

+Date: Thu, 30 Nov 2017 13:31:45 +0100

+Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ

+ #22375]

+

+When the per-thread cache is enabled, __libc_malloc uses request2size (which

+does not perform an overflow check) to calculate the chunk size from the

+requested allocation size. This leads to an integer overflow causing malloc

+to incorrectly return the last successfully allocated block when called with

+a very large size argument (close to SIZE_MAX).

+

+This commit uses checked_request2size instead, removing the overflow.

+---

+ ChangeLog       | 6 ++++++

+ malloc/malloc.c | 3 ++-

+ 2 files changed, 8 insertions(+), 1 deletion(-)

+

+diff --git a/malloc/malloc.c b/malloc/malloc.c

+index 79f0e9e..0c9e074 100644

+--- a/malloc/malloc.c

+@@ -3031,7 +3031,8 @@ __libc_malloc (size_t bytes)

+     return (*hook)(bytes, RETURN_ADDRESS (0));

+ #if USE_TCACHE

+   /* int_free also calls request2size, be careful to not pad twice.  */

+-  size_t tbytes = request2size (bytes);

++  size_t tbytes;

++  checked_request2size (bytes, tbytes);

+   size_t tc_idx = csize2tidx (tbytes);

+ 

+   MAYBE_INIT_TCACHE ();

+-- 

+2.9.3

+

@@ -1,26 +1,27 @@

 %global security_hardening nonow

 %define glibc_target_cpu %{_build}

-Summary:	Main C library

-Name:		glibc

-Version:	2.26

-Release:	6%{?dist}

-License:	LGPLv2+

-URL:		http://www.gnu.org/software/libc

-Group:		Applications/System

-Vendor:		VMware, Inc.

-Distribution: 	Photon

-Source0:	http://ftp.gnu.org/gnu/glibc/%{name}-%{version}.tar.xz

+Summary:        Main C library

+Name:           glibc

+Version:        2.26

+Release:        7%{?dist}

+License:        LGPLv2+

+URL:            http://www.gnu.org/software/libc

+Group:          Applications/System

+Vendor:         VMware, Inc.

+Distribution:   Photon

+Source0:        http://ftp.gnu.org/gnu/glibc/%{name}-%{version}.tar.xz

 %define sha1 glibc=7cf7d521f5ebece5dd27cfb3ca5e5f6b84da4bfd

-Source1:	locale-gen.sh

-Source2:	locale-gen.conf

-Patch0:   	http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.25-fhs-1.patch

-Patch1:		glibc-2.24-bindrsvport-blacklist.patch

-Patch2:		0001-Fix-range-check-in-do_tunable_update_val.patch

-Patch3:		0002-malloc-arena-fix.patch

-Patch4:     glibc-fix-CVE-2017-15670.patch

-Patch5:     glibc-fix-CVE-2017-15804.patch

-Provides:	rtld(GNU_HASH)

+Source1:        locale-gen.sh

+Source2:        locale-gen.conf

+Patch0:         http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.25-fhs-1.patch

+Patch1:         glibc-2.24-bindrsvport-blacklist.patch

+Patch2:         0001-Fix-range-check-in-do_tunable_update_val.patch

+Patch3:         0002-malloc-arena-fix.patch

+Patch4:         glibc-fix-CVE-2017-15670.patch

+Patch5:         glibc-fix-CVE-2017-15804.patch

+Patch6:         glibc-fix-CVE-2017-17426.patch

+Provides:       rtld(GNU_HASH)

 Requires:       filesystem

 %description

 This library provides the basic routines for allocating memory,

@@ -79,6 +80,7 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile

 %patch3 -p1

 %patch4 -p1

 %patch5 -p1

+%patch6 -p1

 install -vdm 755 %{_builddir}/%{name}-build

 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries

 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh

@@ -110,55 +112,55 @@ chmod +x find_requires.sh

 %build

 cd %{_builddir}/%{name}-build

 ../%{name}-%{version}/configure \

-	--prefix=%{_prefix} \

-	--disable-profile \

-	--enable-kernel=2.6.32 \

-	--enable-obsolete-rpc \

-	--enable-obsolete-nsl \

-	--enable-bind-now \

-	--disable-experimental-malloc \

-	--disable-silent-rules

+        --prefix=%{_prefix} \

+        --disable-profile \

+        --enable-kernel=2.6.32 \

+        --enable-obsolete-rpc \

+        --enable-obsolete-nsl \

+        --enable-bind-now \

+        --disable-experimental-malloc \

+        --disable-silent-rules

 # Sometimes we have false "out of memory" make error

 # just rerun/continue make to workaroung it.

 make %{?_smp_mflags} || make %{?_smp_mflags} || make %{?_smp_mflags}

 %install

-#	Do not remove static libs

+#       Do not remove static libs

 pushd %{_builddir}/glibc-build

-#	Create directories

+#       Create directories

 make install_root=%{buildroot} install

 install -vdm 755 %{buildroot}%{_sysconfdir}/ld.so.conf.d

 install -vdm 755 %{buildroot}/var/cache/nscd

 install -vdm 755 %{buildroot}%{_libdir}/locale

 cp -v ../%{name}-%{version}/nscd/nscd.conf %{buildroot}%{_sysconfdir}/nscd.conf

-#	Install locale generation script and config file

+#       Install locale generation script and config file

 cp -v %{SOURCE2} %{buildroot}%{_sysconfdir}

 cp -v %{SOURCE1} %{buildroot}/sbin

-#	Remove unwanted cruft

+#       Remove unwanted cruft

 rm -rf %{buildroot}%{_infodir}

-#	Install configuration files

+#       Install configuration files

 cat > %{buildroot}%{_sysconfdir}/nsswitch.conf <<- "EOF"

-#	Begin /etc/nsswitch.conf

+#       Begin /etc/nsswitch.conf

-	passwd: files

-	group: files

-	shadow: files

+        passwd: files

+        group: files

+        shadow: files

-	hosts: files dns

-	networks: files

+        hosts: files dns

+        networks: files

-	protocols: files

-	services: files

-	ethers: files

-	rpc: files

-#	End /etc/nsswitch.conf

+        protocols: files

+        services: files

+        ethers: files

+        rpc: files

+#       End /etc/nsswitch.conf

 EOF

 cat > %{buildroot}%{_sysconfdir}/ld.so.conf <<- "EOF"

-#	Begin /etc/ld.so.conf

-	/usr/local/lib

-	/opt/lib

-	include /etc/ld.so.conf.d/*.conf

+#       Begin /etc/ld.so.conf

+        /usr/local/lib

+        /opt/lib

+        include /etc/ld.so.conf.d/*.conf

 EOF

 popd

 %find_lang %{name} --all-name

@@ -282,6 +284,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:

 %changelog

+*   Thu Dec 21 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-7

+-   Fix CVE-2017-17426

 *   Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-6

 -   Fix CVE-2017-15670 and CVE-2017-15804

 *   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-5