Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 07 Jun 2012 13:12:52 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Xi Wang <xi.wang@...il.com>, boost@...ts.boost.org, emery@...umass.edu,
        ivmai@...l.ru, webmaster2@...prod.com
Subject: Re: memory allocator upstream patches

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/04/2012 11:54 PM, Xi Wang wrote:
> Hi,
>
> I would like to share some upstream patches of two specific types
> of memory allocator vulnerabilities.
>
> * malloc(n) size overflow.
>
> Consider the following code pattern.
>
> 	n = read_from_input();
> 	p = malloc(n);
> 	if (p)
> 		memcpy(p, input_buffer, n);
>
> Some malloc() implementations internally perform alignment/padding
> for a large n, and the allocation size wraps around to a small
> integer.  That means they would allocate a smaller buffer than
> expected, leading to buffer overflow.
>
> * calloc(n, size) size overflow.
>
> Some calloc() implementations don't check for n * size multiplication
> overflow, and would allocate a smaller buffer than expected,
> leading to buffer overflow.
>
> The two types of vulnerabilities can be easily reproduced using
> malloc(-1) and calloc(BIG-VALUE, BIG-VALUE).  If the return values
> are non-null, the implementations are likely to be problematic.
>
> See a more complete list at:
>
> http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/
>
> Below are some recent upstream fixes.
>
>
> Boehm-Demers-Weiser GC (libgc)
> ==============================
>
> malloc() size overflow, upstream patch (revised by the developers):
>
>
https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1
>
> The bug in mallocx.c was found by Ivan Maidanski.
>
> calloc() size overflow, upstream patch (revised by the developers):
>
>
https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a
>
https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3
>
https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb

https://github.com/ivmai/bdwgc/blob/master/malloc.c
https://github.com/ivmai/bdwgc/blob/master/mallocx.c

Please use CVE-2012-2673 for this issue

> bionic (Android libc)
> =====================
>
> malloc() size overflow, upstream patch (revised by the developers):
>
>
https://github.com/android/platform_bionic/commit/7f5aa4f35e23fd37425b3a5041737cdf58f87385
>
> NB: this vulnerability could only be triggered in debug mode, the
> same as CVE-2009-0607, calloc() size overflow.

https://github.com/android/platform_bionic/blob/master/libc/bionic/malloc_debug_leak.c

Please use CVE-2012-2674 for this issue

> nedmalloc
> =========
>
> malloc() size overflow, upstream patch:
>
>
https://github.com/ned14/nedmalloc/commit/1a759756639ab7543b650a10c2d77a0ffc7a2000
>
> calloc() size overflow, upstream patch:
>
>
https://github.com/ned14/nedmalloc/commit/2965eca30c408c13473c4146a9d47d547d288db1

https://github.com/ned14/nedmalloc/blob/master/nedmalloc.c

Please use CVE-2012-2675 for this issue

> Hoard
> =====
>
> http://www.hoard.org/
>
> malloc() size overflow, confirmed by the developers via email in
> this March, no upstream patch available (since 3.8).
>
> calloc() size overflow, which should only happen on non-glibc
> platforms (e.g., Mac OS X).  It has not been confirmed by the
> developers, but one can easily reproduce it.

hoard-38/src/tlab.h

Please use CVE-2012-2676 for this issue

> boost::pool
> ===========
>
> ordered_malloc() (similar to calloc()) size overflow, upstream patch:
>
> https://svn.boost.org/trac/boost/changeset/78326

http://www.boost.org/doc/libs/1_49_0/boost/pool/poolfwd.hpp

Please use CVE-2012-2677 for this issue

> - xi



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0P00AAoJEBYNRVNeJnmTegUP/RzPWBuDk5uc5VX7GfNwl2bV
Tj6vK8eR3PqC0eWZ9J84Ak1Rr/sArq7+eF2jQzB2y5nazrvq8+CbLG45+aG/tc/k
/s1WgQlPf0/cSdG5KtXqQAot/DNwBr91gzPiXzLhH4VriglZkmyYnQoatUq7qg+X
95dlGcDiA9MZBs8/Y9hffUQpT6A59RBR1Js/wIuKxgVuvR6FHr5K6kT8ugj7u5n6
4gsvpL16rpAqUtaDrbrYS/E1wde0X4X++mwdMe+Qnjh4ZmVINPcF845QMmPUKKzN
ub2q/aibzI3c7UxHVW6yPO4kY14dWHQIJkIB4r6nPNkUlkHEsCageMYqUA+iK8d8
/c0xbUjEk6Lq9mWjduHCTdXxgSJcZRl5+v64qAAkGXn2Iry1t0LxLUvQagyG/YYl
laYogHq57jS7gl5bWnPNRFiWo5/zS5n7t6F+T2s98Oly9guNTOZXqe3bzHkJDBO3
Wcv6GNZ+awN0XVLHgBIzky5LCDHbCQrjr/JZvD55HNt9gCmsJzgg0C4iXda86hUd
+yLPQ7tzPIXaruco5GdBh24k6pHuvXfUoeIitRHdb/a1lUqY+9Prcrn0/uC9O6H9
i6RZ7Oki4mE4LBOWP4C/2CxR87tqNmMv2/NKvlMhBVM7IdIxtinXHmwZZGS2aywo
/9xo9gM88fT2SmjREZu3
=Zv9/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ