oss-sec mailing list archives
Re: memory allocator upstream patches
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 07 Jun 2012 13:12:52 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/04/2012 11:54 PM, Xi Wang wrote:
Hi, I would like to share some upstream patches of two specific types of memory allocator vulnerabilities. * malloc(n) size overflow. Consider the following code pattern. n = read_from_input(); p = malloc(n); if (p) memcpy(p, input_buffer, n); Some malloc() implementations internally perform alignment/padding for a large n, and the allocation size wraps around to a small integer. That means they would allocate a smaller buffer than expected, leading to buffer overflow. * calloc(n, size) size overflow. Some calloc() implementations don't check for n * size multiplication overflow, and would allocate a smaller buffer than expected, leading to buffer overflow. The two types of vulnerabilities can be easily reproduced using malloc(-1) and calloc(BIG-VALUE, BIG-VALUE). If the return values are non-null, the implementations are likely to be problematic. See a more complete list at: http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/ Below are some recent upstream fixes. Boehm-Demers-Weiser GC (libgc) ============================== malloc() size overflow, upstream patch (revised by the developers):
https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1
The bug in mallocx.c was found by Ivan Maidanski. calloc() size overflow, upstream patch (revised by the developers):
https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a
https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3
https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb https://github.com/ivmai/bdwgc/blob/master/malloc.c https://github.com/ivmai/bdwgc/blob/master/mallocx.c Please use CVE-2012-2673 for this issue
bionic (Android libc) ===================== malloc() size overflow, upstream patch (revised by the developers):
https://github.com/android/platform_bionic/commit/7f5aa4f35e23fd37425b3a5041737cdf58f87385
NB: this vulnerability could only be triggered in debug mode, the same as CVE-2009-0607, calloc() size overflow.
https://github.com/android/platform_bionic/blob/master/libc/bionic/malloc_debug_leak.c Please use CVE-2012-2674 for this issue
nedmalloc ========= malloc() size overflow, upstream patch:
https://github.com/ned14/nedmalloc/commit/1a759756639ab7543b650a10c2d77a0ffc7a2000
calloc() size overflow, upstream patch:
https://github.com/ned14/nedmalloc/commit/2965eca30c408c13473c4146a9d47d547d288db1 https://github.com/ned14/nedmalloc/blob/master/nedmalloc.c Please use CVE-2012-2675 for this issue
Hoard ===== http://www.hoard.org/ malloc() size overflow, confirmed by the developers via email in this March, no upstream patch available (since 3.8). calloc() size overflow, which should only happen on non-glibc platforms (e.g., Mac OS X). It has not been confirmed by the developers, but one can easily reproduce it.
hoard-38/src/tlab.h Please use CVE-2012-2676 for this issue
boost::pool =========== ordered_malloc() (similar to calloc()) size overflow, upstream patch: https://svn.boost.org/trac/boost/changeset/78326
http://www.boost.org/doc/libs/1_49_0/boost/pool/poolfwd.hpp Please use CVE-2012-2677 for this issue
- xi
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0P00AAoJEBYNRVNeJnmTegUP/RzPWBuDk5uc5VX7GfNwl2bV Tj6vK8eR3PqC0eWZ9J84Ak1Rr/sArq7+eF2jQzB2y5nazrvq8+CbLG45+aG/tc/k /s1WgQlPf0/cSdG5KtXqQAot/DNwBr91gzPiXzLhH4VriglZkmyYnQoatUq7qg+X 95dlGcDiA9MZBs8/Y9hffUQpT6A59RBR1Js/wIuKxgVuvR6FHr5K6kT8ugj7u5n6 4gsvpL16rpAqUtaDrbrYS/E1wde0X4X++mwdMe+Qnjh4ZmVINPcF845QMmPUKKzN ub2q/aibzI3c7UxHVW6yPO4kY14dWHQIJkIB4r6nPNkUlkHEsCageMYqUA+iK8d8 /c0xbUjEk6Lq9mWjduHCTdXxgSJcZRl5+v64qAAkGXn2Iry1t0LxLUvQagyG/YYl laYogHq57jS7gl5bWnPNRFiWo5/zS5n7t6F+T2s98Oly9guNTOZXqe3bzHkJDBO3 Wcv6GNZ+awN0XVLHgBIzky5LCDHbCQrjr/JZvD55HNt9gCmsJzgg0C4iXda86hUd +yLPQ7tzPIXaruco5GdBh24k6pHuvXfUoeIitRHdb/a1lUqY+9Prcrn0/uC9O6H9 i6RZ7Oki4mE4LBOWP4C/2CxR87tqNmMv2/NKvlMhBVM7IdIxtinXHmwZZGS2aywo /9xo9gM88fT2SmjREZu3 =Zv9/ -----END PGP SIGNATURE-----
Current thread:
- memory allocator upstream patches Xi Wang (Jun 04)
- Re: memory allocator upstream patches Jan Lieskovsky (Jun 07)
- Re: memory allocator upstream patches Kurt Seifried (Jun 07)