This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: [PATCH] PR other/54411: libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
- From: Florian Weimer <fweimer at redhat dot com>
- To: Ian Lance Taylor <iant at google dot com>
- Cc: gcc-patches at gcc dot gnu dot org
- Date: Mon, 17 Sep 2012 11:49:04 +0200
- Subject: Re: [PATCH] PR other/54411: libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
- References: <876281zjr0.fsf@mid.deneb.enyo.de> <CAKOQZ8x-pM48K5Uo9Bq_wf4EuKzhjwK5H=qhVUh4FyEa2JKGNA@mail.gmail.com>
On 09/05/2012 07:31 AM, Ian Lance Taylor wrote:
On Wed, Aug 29, 2012 at 10:32 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
This patches fixes an integer overflow in libiberty, which leads to
crashes in binutils. The long version of the objalloc_alloc macro
would have needed another conditional, so I removed that and replaced
it with a call to the actual implementation.
I guess I don't see why removing the macro is desirable. In many uses
of objalloc_alloc the conditional can be optimized out anyhow. It's
true that it can't always be, but, so what? The macro is probably
still a win.
Fair enough. I've added a wraparound check to the macro. Okay for trunk?
--
Florian Weimer / Red Hat Product Security Team
2012-09-17 Florian Weimer <fweimer@redhat.com>
PR other/54411
* objalloc.h (objalloc_alloc): Do not use fast path on wraparound.
2012-09-17 Florian Weimer <fweimer@redhat.com>
PR other/54411
* objalloc.c (_objalloc_alloc): Add overflow check covering
alignment and CHUNK_HEADER_SIZE addition.
Index: libiberty/objalloc.c
===================================================================
--- libiberty/objalloc.c (revision 191378)
+++ libiberty/objalloc.c (working copy)
@@ -1,5 +1,5 @@
/* objalloc.c -- routines to allocate memory for objects
- Copyright 1997 Free Software Foundation, Inc.
+ Copyright 1997-2012 Free Software Foundation, Inc.
Written by Ian Lance Taylor, Cygnus Solutions.
This program is free software; you can redistribute it and/or modify it
@@ -112,8 +112,9 @@
/* Allocate space from an objalloc structure. */
PTR
-_objalloc_alloc (struct objalloc *o, unsigned long len)
+_objalloc_alloc (struct objalloc *o, unsigned long original_len)
{
+ unsigned long len = original_len;
/* We avoid confusion from zero sized objects by always allocating
at least 1 byte. */
if (len == 0)
@@ -121,6 +122,11 @@
len = (len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1);
+ /* Check for overflow in the alignment operation above and the
+ malloc argument below. */
+ if (len + CHUNK_HEADER_SIZE < original_len)
+ return NULL;
+
if (len <= o->current_space)
{
o->current_ptr += len;
Index: include/objalloc.h
===================================================================
--- include/objalloc.h (revision 191378)
+++ include/objalloc.h (working copy)
@@ -1,5 +1,5 @@
/* objalloc.h -- routines to allocate memory for objects
- Copyright 1997, 2001 Free Software Foundation, Inc.
+ Copyright 1997-2012 Free Software Foundation, Inc.
Written by Ian Lance Taylor, Cygnus Solutions.
This program is free software; you can redistribute it and/or modify it
@@ -91,7 +91,7 @@
if (__len == 0) \
__len = 1; \
__len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); \
- (__len <= __o->current_space \
+ (__len && __len <= __o->current_space \
? (__o->current_ptr += __len, \
__o->current_space -= __len, \
(void *) (__o->current_ptr - __len)) \