From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 From: mancha Date: Wed, 11 Sep 2013 Subject: CVE-2013-4332 malloc: Check for integer overflow in pvalloc, valloc, and memalign. A large bytes parameter to pvalloc, valloc, or memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. Note: This is a backport to glibc 2.17 of the following three commits: * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d --- malloc.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t /* Otherwise, ensure that it is at least a minimum chunk size */ if (alignment < MINSIZE) alignment = MINSIZE; + /* Check for overflow. */ + if (bytes > SIZE_MAX - alignment - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + arena_get(ar_ptr, bytes + alignment + MINSIZE); if(!ar_ptr) return 0; @@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) size_t pagesz = GLRO(dl_pagesize); + /* Check for overflow. */ + if (bytes > SIZE_MAX - pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, const __malloc_ptr_t)) = force_reg (__memalign_hook); @@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) size_t page_mask = GLRO(dl_pagesize) - 1; size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + /* Check for overflow. */ + if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) + { + __set_errno (ENOMEM); + return 0; + } + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, const __malloc_ptr_t)) = force_reg (__memalign_hook);