oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: memory allocator upstream patches

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 07 Jun 2012 13:12:52 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2012 11:54 PM, Xi Wang wrote:

Hi,

I would like to share some upstream patches of two specific types
of memory allocator vulnerabilities.

* malloc(n) size overflow.

Consider the following code pattern.

      n = read_from_input();
      p = malloc(n);
      if (p)
              memcpy(p, input_buffer, n);

Some malloc() implementations internally perform alignment/padding
for a large n, and the allocation size wraps around to a small
integer.  That means they would allocate a smaller buffer than
expected, leading to buffer overflow.

* calloc(n, size) size overflow.

Some calloc() implementations don't check for n * size multiplication
overflow, and would allocate a smaller buffer than expected,
leading to buffer overflow.

The two types of vulnerabilities can be easily reproduced using
malloc(-1) and calloc(BIG-VALUE, BIG-VALUE).  If the return values
are non-null, the implementations are likely to be problematic.

See a more complete list at:

http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/

Below are some recent upstream fixes.


Boehm-Demers-Weiser GC (libgc)
==============================

malloc() size overflow, upstream patch (revised by the developers):



https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1


The bug in mallocx.c was found by Ivan Maidanski.

calloc() size overflow, upstream patch (revised by the developers):



https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a



https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3



https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb

https://github.com/ivmai/bdwgc/blob/master/malloc.c
https://github.com/ivmai/bdwgc/blob/master/mallocx.c

Please use CVE-2012-2673 for this issue


bionic (Android libc)
=====================

malloc() size overflow, upstream patch (revised by the developers):



https://github.com/android/platform_bionic/commit/7f5aa4f35e23fd37425b3a5041737cdf58f87385


NB: this vulnerability could only be triggered in debug mode, the
same as CVE-2009-0607, calloc() size overflow.


https://github.com/android/platform_bionic/blob/master/libc/bionic/malloc_debug_leak.c

Please use CVE-2012-2674 for this issue


nedmalloc
=========

malloc() size overflow, upstream patch:



https://github.com/ned14/nedmalloc/commit/1a759756639ab7543b650a10c2d77a0ffc7a2000


calloc() size overflow, upstream patch:



https://github.com/ned14/nedmalloc/commit/2965eca30c408c13473c4146a9d47d547d288db1

https://github.com/ned14/nedmalloc/blob/master/nedmalloc.c

Please use CVE-2012-2675 for this issue


Hoard
=====

http://www.hoard.org/

malloc() size overflow, confirmed by the developers via email in
this March, no upstream patch available (since 3.8).

calloc() size overflow, which should only happen on non-glibc
platforms (e.g., Mac OS X).  It has not been confirmed by the
developers, but one can easily reproduce it.


hoard-38/src/tlab.h

Please use CVE-2012-2676 for this issue


boost::pool
===========

ordered_malloc() (similar to calloc()) size overflow, upstream patch:

https://svn.boost.org/trac/boost/changeset/78326


http://www.boost.org/doc/libs/1_49_0/boost/pool/poolfwd.hpp

Please use CVE-2012-2677 for this issue


- xi




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0P00AAoJEBYNRVNeJnmTegUP/RzPWBuDk5uc5VX7GfNwl2bV
Tj6vK8eR3PqC0eWZ9J84Ak1Rr/sArq7+eF2jQzB2y5nazrvq8+CbLG45+aG/tc/k
/s1WgQlPf0/cSdG5KtXqQAot/DNwBr91gzPiXzLhH4VriglZkmyYnQoatUq7qg+X
95dlGcDiA9MZBs8/Y9hffUQpT6A59RBR1Js/wIuKxgVuvR6FHr5K6kT8ugj7u5n6
4gsvpL16rpAqUtaDrbrYS/E1wde0X4X++mwdMe+Qnjh4ZmVINPcF845QMmPUKKzN
ub2q/aibzI3c7UxHVW6yPO4kY14dWHQIJkIB4r6nPNkUlkHEsCageMYqUA+iK8d8
/c0xbUjEk6Lq9mWjduHCTdXxgSJcZRl5+v64qAAkGXn2Iry1t0LxLUvQagyG/YYl
laYogHq57jS7gl5bWnPNRFiWo5/zS5n7t6F+T2s98Oly9guNTOZXqe3bzHkJDBO3
Wcv6GNZ+awN0XVLHgBIzky5LCDHbCQrjr/JZvD55HNt9gCmsJzgg0C4iXda86hUd
+yLPQ7tzPIXaruco5GdBh24k6pHuvXfUoeIitRHdb/a1lUqY+9Prcrn0/uC9O6H9
i6RZ7Oki4mE4LBOWP4C/2CxR87tqNmMv2/NKvlMhBVM7IdIxtinXHmwZZGS2aywo
/9xo9gM88fT2SmjREZu3
=Zv9/
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: