diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-06-11 17:33:36 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2015-06-11 17:33:36 +0000 |
| commit | 5917f1a2f11db762a8d82ec751d7a4a8ace89565 (patch) | |
| tree | cfdd3c35b836488070ad63894455ab513c4d0816 /gnu/lib/libiberty | |
| parent | 4ed89a3c367dfa97c1aa0977c536ca69778f75c0 (diff) | |
Fix CVE-2012-3509, an integer overflow in libiberty, leading to
heap-buffer overflow.
From Sebastian Trahm; OK deraadt@
Diffstat (limited to 'gnu/lib/libiberty')
| -rw-r--r-- | gnu/lib/libiberty/include/objalloc.h | 29 | ||||
| -rw-r--r-- | gnu/lib/libiberty/src/objalloc.c | 11 |
2 files changed, 23 insertions, 17 deletions
diff --git a/gnu/lib/libiberty/include/objalloc.h b/gnu/lib/libiberty/include/objalloc.h index 0b451cdc295..c0d9214a754 100644 --- a/gnu/lib/libiberty/include/objalloc.h +++ b/gnu/lib/libiberty/include/objalloc.h @@ -1,5 +1,5 @@ /* objalloc.h -- routines to allocate memory for objects - Copyright 1997 Free Software Foundation, Inc. + Copyright 1997-2012 Free Software Foundation, Inc. Written by Ian Lance Taylor, Cygnus Solutions. This program is free software; you can redistribute it and/or modify it @@ -14,8 +14,8 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software -Foundation, 59 Temple Place - Suite 330, -Boston, MA 02111-1307, USA. */ +Foundation, 51 Franklin Street - Fifth Floor, +Boston, MA 02110-1301, USA. */ #ifndef OBJALLOC_H #define OBJALLOC_H @@ -45,7 +45,7 @@ struct objalloc { char *current_ptr; unsigned int current_space; - PTR chunks; + void *chunks; }; /* Work out the required alignment. */ @@ -56,21 +56,20 @@ struct objalloc_align { char x; double d; }; #ifndef offsetof #include <stddef.h> #endif -#define OBJALLOC_ALIGN \ - ((ptrdiff_t) ((char *) &((struct objalloc_align *) 0)->d - (char *) 0)) -#else -#define OBJALLOC_ALIGN \ - ((long) ((char *) &((struct objalloc_align *) 0)->d - (char *) 0)) #endif +#ifndef offsetof +#define offsetof(TYPE, MEMBER) ((unsigned long) &((TYPE *)0)->MEMBER) +#endif +#define OBJALLOC_ALIGN offsetof (struct objalloc_align, d) /* Create an objalloc structure. Returns NULL if malloc fails. */ -extern struct objalloc *objalloc_create PARAMS ((void)); +extern struct objalloc *objalloc_create (void); /* Allocate space from an objalloc structure. Returns NULL if malloc fails. */ -extern PTR _objalloc_alloc PARAMS ((struct objalloc *, unsigned long)); +extern void *_objalloc_alloc (struct objalloc *, unsigned long); /* The macro version of objalloc_alloc. We only define this if using gcc, because otherwise we would have to evaluate the arguments @@ -92,10 +91,10 @@ extern PTR _objalloc_alloc PARAMS ((struct objalloc *, unsigned long)); if (__len == 0) \ __len = 1; \ __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); \ - (__len <= __o->current_space \ + (__len != 0 && __len <= __o->current_space \ ? (__o->current_ptr += __len, \ __o->current_space -= __len, \ - (PTR) (__o->current_ptr - __len)) \ + (void *) (__o->current_ptr - __len)) \ : _objalloc_alloc (__o, __len)); }) #else /* ! __GNUC__ */ @@ -106,11 +105,11 @@ extern PTR _objalloc_alloc PARAMS ((struct objalloc *, unsigned long)); /* Free an entire objalloc structure. */ -extern void objalloc_free PARAMS ((struct objalloc *)); +extern void objalloc_free (struct objalloc *); /* Free a block allocated by objalloc_alloc. This also frees all more recently allocated blocks. */ -extern void objalloc_free_block PARAMS ((struct objalloc *, PTR)); +extern void objalloc_free_block (struct objalloc *, void *); #endif /* OBJALLOC_H */ diff --git a/gnu/lib/libiberty/src/objalloc.c b/gnu/lib/libiberty/src/objalloc.c index 3ddac2ce4cb..a2be3a1d368 100644 --- a/gnu/lib/libiberty/src/objalloc.c +++ b/gnu/lib/libiberty/src/objalloc.c @@ -1,5 +1,5 @@ /* objalloc.c -- routines to allocate memory for objects - Copyright 1997 Free Software Foundation, Inc. + Copyright 1997-2012 Free Software Foundation, Inc. Written by Ian Lance Taylor, Cygnus Solutions. This program is free software; you can redistribute it and/or modify it @@ -112,8 +112,10 @@ objalloc_create (void) /* Allocate space from an objalloc structure. */ PTR -_objalloc_alloc (struct objalloc *o, unsigned long len) +_objalloc_alloc (struct objalloc *o, unsigned long original_len) { + unsigned long len = original_len; + /* We avoid confusion from zero sized objects by always allocating at least 1 byte. */ if (len == 0) @@ -121,6 +123,11 @@ _objalloc_alloc (struct objalloc *o, unsigned long len) len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); + /* CVE-2012-3509: Check for overflow in the alignment operation above + * and then malloc argument below. */ + if (len + CHUNK_HEADER_SIZE < original_len) + return NULL; + if (len <= o->current_space) { o->current_ptr += len; |