This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

alloca avoidance patches


As you might have seen, today a vulnerability was disclosed in
glibc/Linux/GCC, concerning alloca/VLAs, large stack frames, and
aliasing the stack and the heap.

I have posted an immediate stop-gap patch for the dynamic linker to fix
CVE-2017-1000366/swbz#21624.  This should go in ASAP and should be
backported.

I also have non-conforming patches which use NAME_MAX and PATH_MAX for
additional mitigations.  I'll post them shortly, but I expect that only
distributions will pick them up because they do not follow GNU standards
and will not work on the Hurd.

In additional, I have a series of patches which remove alloca from
libintl and vfprintf.

Thanks,
Florian


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]