Date: Tue, 5 Jun 2012 01:54:17 -0400 From: Xi Wang <xi.wang@...il.com> To: oss-security@...ts.openwall.com Subject: memory allocator upstream patches Hi, I would like to share some upstream patches of two specific types of memory allocator vulnerabilities. * malloc(n) size overflow. Consider the following code pattern. n = read_from_input(); p = malloc(n); if (p) memcpy(p, input_buffer, n); Some malloc() implementations internally perform alignment/padding for a large n, and the allocation size wraps around to a small integer. That means they would allocate a smaller buffer than expected, leading to buffer overflow. * calloc(n, size) size overflow. Some calloc() implementations don't check for n * size multiplication overflow, and would allocate a smaller buffer than expected, leading to buffer overflow. The two types of vulnerabilities can be easily reproduced using malloc(-1) and calloc(BIG-VALUE, BIG-VALUE). If the return values are non-null, the implementations are likely to be problematic. See a more complete list at: http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/ Below are some recent upstream fixes. Boehm-Demers-Weiser GC (libgc) ============================== malloc() size overflow, upstream patch (revised by the developers): https://github.com/ivmai/bdwgc/commit/be9df82919960214ee4b9d3313523bff44fd99e1 The bug in mallocx.c was found by Ivan Maidanski. calloc() size overflow, upstream patch (revised by the developers): https://github.com/ivmai/bdwgc/commit/e10c1eb9908c2774c16b3148b30d2f3823d66a9a https://github.com/ivmai/bdwgc/commit/6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 https://github.com/ivmai/bdwgc/commit/83231d0ab5ed60015797c3d1ad9056295ac3b2bb bionic (Android libc) ===================== malloc() size overflow, upstream patch (revised by the developers): https://github.com/android/platform_bionic/commit/7f5aa4f35e23fd37425b3a5041737cdf58f87385 NB: this vulnerability could only be triggered in debug mode, the same as CVE-2009-0607, calloc() size overflow. nedmalloc ========= malloc() size overflow, upstream patch: https://github.com/ned14/nedmalloc/commit/1a759756639ab7543b650a10c2d77a0ffc7a2000 calloc() size overflow, upstream patch: https://github.com/ned14/nedmalloc/commit/2965eca30c408c13473c4146a9d47d547d288db1 Hoard ===== http://www.hoard.org/ malloc() size overflow, confirmed by the developers via email in this March, no upstream patch available (since 3.8). calloc() size overflow, which should only happen on non-glibc platforms (e.g., Mac OS X). It has not been confirmed by the developers, but one can easily reproduce it. boost::pool =========== ordered_malloc() (similar to calloc()) size overflow, upstream patch: https://svn.boost.org/trac/boost/changeset/78326 - xi
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.