This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.26.9000-977-g8a0b17e
- From: fw at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 14 Dec 2017 14:31:42 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.26.9000-977-g8a0b17e
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 8a0b17e48b83e933960dfeb8fa08b259f03f310e (commit)
from f58bd7f055988d367d8118ccbc4cb8c4dbfd9db2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8a0b17e48b83e933960dfeb8fa08b259f03f310e
commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Dec 14 15:18:38 2017 +0100
elf: Compute correct array size in _dl_init_paths [BZ #22606]
diff --git a/ChangeLog b/ChangeLog
index 49fcee9..521ef46 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2017-12-14 Florian Weimer <fweimer@redhat.com>
+ [BZ #22606]
+ CVE-2017-1000408
+ * elf/dl-load.c (system_dirs): Update comment.
+ (nsystem_dirs_len): Use array_length.
+ (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
+2017-12-14 Florian Weimer <fweimer@redhat.com>
+
Simplify compiling most of support/ outside of glibc.
* support/check_addrinfo.c: Include <string.h>.
* support/check_dns_packet.c: Likewise.
diff --git a/NEWS b/NEWS
index abbe561..eef51b6 100644
--- a/NEWS
+++ b/NEWS
@@ -125,6 +125,11 @@ Security related changes:
instead of NULL. This was a regression introduced with the new malloc
thread cache in glibc 2.26. Reported by Iain Buclaw.
+ CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
+ to the allocation of too much memory. (This is not a security bug per se,
+ it is mentioned here only because of the CVE assignment.) Reported by
+ Qualys.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 10d859b..5f1f908 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -37,6 +37,7 @@
#include <sysdep.h>
#include <stap-probe.h>
#include <libc-pointer-arith.h>
+#include <array_length.h>
#include <dl-dst.h>
#include <dl-load.h>
@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
static size_t max_capstrlen attribute_relro;
-/* Get the generated information about the trusted directories. */
+/* Get the generated information about the trusted directories. Use
+ an array of concatenated strings to avoid relocations. See
+ gen-trusted-dirs.awk. */
#include "trusted-dirs.h"
static const char system_dirs[] = SYSTEM_DIRS;
@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
{
SYSTEM_DIRS_LEN
};
-#define nsystem_dirs_len \
- (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
-
+#define nsystem_dirs_len array_length (system_dirs_len)
static bool
is_trusted_path (const char *path, size_t len)
@@ -685,9 +686,8 @@ _dl_init_paths (const char *llp)
+ ncapstr * sizeof (enum r_dir_status))
/ sizeof (struct r_search_path_elem));
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
- * round_size * sizeof (struct r_search_path_elem));
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+ * sizeof (*rtld_search_dirs.dirs[0]));
if (rtld_search_dirs.dirs[0] == NULL)
{
errstring = N_("cannot create cache for search path");
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 ++++++++
NEWS | 5 +++++
elf/dl-load.c | 14 +++++++-------
3 files changed, 20 insertions(+), 7 deletions(-)
hooks/post-receive
--
GNU C Library master sources