Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 07 Jun 2012 13:12:52 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Xi Wang <xi.wang@...il.com>, boost@...ts.boost.org, emery@...umass.edu,
        ivmai@...l.ru, webmaster2@...prod.com
Subject: Re: memory allocator upstream patches

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2012 11:54 PM, Xi Wang wrote:
> Hi,
>
> I would like to share some upstream patches of two specific types
> of memory allocator vulnerabilities.
>
> * malloc(n) size overflow.
>
> Consider the following code pattern.
>
> 	n = read_from_input();
> 	p = malloc(n);
> 	if (p)
> 		memcpy(p, input_buffer, n);
>
> Some malloc() implementations internally perform alignment/padding
> for a large n, and the allocation size wraps around to a small
> integer.  That means they would allocate a smaller buffer than
> expected, leading to buffer overflow.
>
> * calloc(n, size) size overflow.
>
> Some calloc() implementations don't check for n * size multiplication
> overflow, and would allocate a smaller buffer than expected,
> leading to buffer overflow.
>
> The two types of vulnerabilities can be easily reproduced using
> malloc(-1) and calloc(BIG-VALUE, BIG-VALUE).  If the return values
> are non-null, the implementations are likely to be problematic.
>
> See a more complete list at:
>
> http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/
>
> Below are some recent upstream fixes.
>
>
> Boehm-Demers-Weiser GC (libgc)
> ==============================
>
> malloc() size overflow, upstream patch (revised by the developers):
>
>
https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1
>
> The bug in mallocx.c was found by Ivan Maidanski.
>
> calloc() size overflow, upstream patch (revised by the developers):
>
>
https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a
>
https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3
>
https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb

https://github.com/ivmai/bdwgc/blob/master/malloc.c
https://github.com/ivmai/bdwgc/blob/master/mallocx.c

Please use CVE-2012-2673 for this issue

> bionic (Android libc)
> =====================
>
> malloc() size overflow, upstream patch (revised by the developers):
>
>
https://github.com/android/platform_bionic/commit/7f5aa4f35e23fd37425b3a5041737cdf58f87385
>
> NB: this vulnerability could only be triggered in debug mode, the
> same as CVE-2009-0607, calloc() size overflow.

https://github.com/android/platform_bionic/blob/master/libc/bionic/malloc_debug_leak.c

Please use CVE-2012-2674 for this issue

> nedmalloc
> =========
>
> malloc() size overflow, upstream patch:
>
>
https://github.com/ned14/nedmalloc/commit/1a759756639ab7543b650a10c2d77a0ffc7a2000
>
> calloc() size overflow, upstream patch:
>
>
https://github.com/ned14/nedmalloc/commit/2965eca30c408c13473c4146a9d47d547d288db1

https://github.com/ned14/nedmalloc/blob/master/nedmalloc.c

Please use CVE-2012-2675 for this issue

> Hoard
> =====
>
> http://www.hoard.org/
>
> malloc() size overflow, confirmed by the developers via email in
> this March, no upstream patch available (since 3.8).
>
> calloc() size overflow, which should only happen on non-glibc
> platforms (e.g., Mac OS X).  It has not been confirmed by the
> developers, but one can easily reproduce it.

hoard-38/src/tlab.h

Please use CVE-2012-2676 for this issue

> boost::pool
> ===========
>
> ordered_malloc() (similar to calloc()) size overflow, upstream patch:
>
> https://svn.boost.org/trac/boost/changeset/78326

http://www.boost.org/doc/libs/1_49_0/boost/pool/poolfwd.hpp

Please use CVE-2012-2677 for this issue

> - xi



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0P00AAoJEBYNRVNeJnmTegUP/RzPWBuDk5uc5VX7GfNwl2bV
Tj6vK8eR3PqC0eWZ9J84Ak1Rr/sArq7+eF2jQzB2y5nazrvq8+CbLG45+aG/tc/k
/s1WgQlPf0/cSdG5KtXqQAot/DNwBr91gzPiXzLhH4VriglZkmyYnQoatUq7qg+X
95dlGcDiA9MZBs8/Y9hffUQpT6A59RBR1Js/wIuKxgVuvR6FHr5K6kT8ugj7u5n6
4gsvpL16rpAqUtaDrbrYS/E1wde0X4X++mwdMe+Qnjh4ZmVINPcF845QMmPUKKzN
ub2q/aibzI3c7UxHVW6yPO4kY14dWHQIJkIB4r6nPNkUlkHEsCageMYqUA+iK8d8
/c0xbUjEk6Lq9mWjduHCTdXxgSJcZRl5+v64qAAkGXn2Iry1t0LxLUvQagyG/YYl
laYogHq57jS7gl5bWnPNRFiWo5/zS5n7t6F+T2s98Oly9guNTOZXqe3bzHkJDBO3
Wcv6GNZ+awN0XVLHgBIzky5LCDHbCQrjr/JZvD55HNt9gCmsJzgg0C4iXda86hUd
+yLPQ7tzPIXaruco5GdBh24k6pHuvXfUoeIitRHdb/a1lUqY+9Prcrn0/uC9O6H9
i6RZ7Oki4mE4LBOWP4C/2CxR87tqNmMv2/NKvlMhBVM7IdIxtinXHmwZZGS2aywo
/9xo9gM88fT2SmjREZu3
=Zv9/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.