diff --git a/ChangeLog b/ChangeLog index fab886ab01..29bd704bda 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2017-11-30 Arjun Shankar + + [BZ #22375] + CVE-2017-17426 + * malloc/malloc.c (__libc_malloc): Use checked_request2size + instead of request2size. + 2017-11-02 Florian Weimer [BZ #22332] diff --git a/NEWS b/NEWS index 61bffe0451..895e2bcbf3 100644 --- a/NEWS +++ b/NEWS @@ -39,6 +39,11 @@ Security related changes: without GLOB_NOESCAPE, could write past the end of a buffer while unescaping user names. Reported by Tim Rühsen. + CVE-2017-17426: The malloc function, when called with an object size near + the value SIZE_MAX, would return a pointer to a buffer which is too small, + instead of NULL. This was a regression introduced with the new malloc + thread cache in glibc 2.26. Reported by Iain Buclaw. + The following bugs are resolved with this release: [16750] ldd: Never run file directly. @@ -72,6 +77,7 @@ The following bugs are resolved with this release: [22321] sysconf: Fix missing definition of UIO_MAXIOV on Linux [22322] libc: [mips64] wrong bits/long-double.h installed [22325] glibc: Memory leak in glob with GLOB_TILDE (CVE-2017-15671) + [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) Version 2.26 diff --git a/malloc/malloc.c b/malloc/malloc.c index 7783d05651..6a52c288de 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3029,7 +3029,8 @@ __libc_malloc (size_t bytes) return (*hook)(bytes, RETURN_ADDRESS (0)); #if USE_TCACHE /* int_free also calls request2size, be careful to not pad twice. */ - size_t tbytes = request2size (bytes); + size_t tbytes; + checked_request2size (bytes, tbytes); size_t tc_idx = csize2tidx (tbytes); MAYBE_INIT_TCACHE ();