commit gc for openSUSE:Factory
Hello community, here is the log from the commit of package gc for openSUSE:Factory checked in at 2012-08-12 15:25:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gc (Old) and /work/SRC/openSUSE:Factory/.gc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gc", Maintainer is "uli@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/gc/gc.changes 2012-02-14 13:05:52.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gc.new/gc.changes 2012-08-12 15:25:11.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Aug 7 15:23:30 UTC 2012 - uli@suse.com + +- fix for malloc()/calloc() overflows (CVE-2012-2673, bnc#765444) + +------------------------------------------------------------------- New: ---- 0001-Fix-allocation-size-overflows-due-to-rounding.patch 0001-Fix-calloc-overflow.patch 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch 0001-Speedup-calloc-size-overflow-check-by-preventing-div.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gc.spec ++++++ --- /var/tmp/diff_new_pack.ORZj4N/_old 2012-08-12 15:25:30.000000000 +0200 +++ /var/tmp/diff_new_pack.ORZj4N/_new 2012-08-12 15:25:30.000000000 +0200 @@ -26,6 +26,11 @@ Group: Development/Libraries/C and C++ Source: %{name}-%{src_ver}.tar.bz2 Patch0: %{name}-build.patch +Patch1: 0001-Fix-allocation-size-overflows-due-to-rounding.patch +Patch2: 0001-Fix-calloc-overflow.patch +Patch3: 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch +Patch4: 0001-Speedup-calloc-size-overflow-check-by-preventing-div.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ BuildRequires: libtool @@ -60,7 +65,8 @@ Summary: A garbage collector for C and C++ Group: Development/Libraries/C and C++ Provides: gc:/usr/include/gc/gc.h -Requires: libgc1 = %version, glibc-devel +Requires: glibc-devel +Requires: libgc1 = %version %description devel The Boehm-Demers-Weiser conservative garbage collector can be used as a @@ -87,6 +93,10 @@ %prep %setup -q -n %{name}-%{src_ver} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build # refresh auto*/libtool to purge rpaths ++++++ 0001-Fix-allocation-size-overflows-due-to-rounding.patch ++++++
From be9df82919960214ee4b9d3313523bff44fd99e1 Mon Sep 17 00:00:00 2001 From: Xi Wang
Date: Thu, 15 Mar 2012 04:55:08 +0800 Subject: [PATCH] Fix allocation size overflows due to rounding.
* malloc.c (GC_generic_malloc): Check if the allocation size is rounded to a smaller value. * mallocx.c (GC_generic_malloc_ignore_off_page): Likewise. --- malloc.c | 2 ++ mallocx.c | 2 ++ 2 files changed, 4 insertions(+), 0 deletions(-) diff --git a/malloc.c b/malloc.c index cc0cc00..899d6ff 100644 --- a/malloc.c +++ b/malloc.c @@ -169,6 +169,8 @@ GC_API void * GC_CALL GC_generic_malloc(size_t lb, int k) GC_bool init; lg = ROUNDED_UP_GRANULES(lb); lb_rounded = GRANULES_TO_BYTES(lg); + if (lb_rounded < lb) + return((*GC_get_oom_fn())(lb)); n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded); init = GC_obj_kinds[k].ok_init; LOCK(); diff --git a/mallocx.c b/mallocx.c index 2c79f41..0d9c0a6 100644 --- a/mallocx.c +++ b/mallocx.c @@ -183,4 +183,6 @@ GC_INNER void * GC_generic_malloc_ignore_off_page(size_t lb, int k) lg = ROUNDED_UP_GRANULES(lb); lb_rounded = GRANULES_TO_BYTES(lg); + if (lb_rounded < lb) + return((*GC_get_oom_fn())(lb)); n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded); init = GC_obj_kinds[k].ok_init; -- 1.7.7 ++++++ 0001-Fix-calloc-overflow.patch ++++++
From e10c1eb9908c2774c16b3148b30d2f3823d66a9a Mon Sep 17 00:00:00 2001 From: Xi Wang
Date: Thu, 15 Mar 2012 04:46:49 +0800 Subject: [PATCH] Fix calloc() overflow
* malloc.c (calloc): Check multiplication overflow in calloc(), assuming REDIRECT_MALLOC. --- malloc.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/malloc.c b/malloc.c index da68f13..cc0cc00 100644 --- a/malloc.c +++ b/malloc.c @@ -372,8 +372,13 @@ void * malloc(size_t lb) } #endif /* GC_LINUX_THREADS */ +#ifndef SIZE_MAX +#define SIZE_MAX (~(size_t)0) +#endif void * calloc(size_t n, size_t lb) { + if (lb && n > SIZE_MAX / lb) + return NULL; # if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */ /* libpthread allocated some memory that is only pointed to by */ /* mmapped thread stacks. Make sure it's not collectable. */ -- 1.7.7 ++++++ 0001-Fix-calloc-related-code-to-prevent-SIZE_MAX-redefini.patch ++++++
From 6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 Mon Sep 17 00:00:00 2001 From: Ivan Maidanski
Date: Thu, 15 Mar 2012 20:30:11 +0400 Subject: [PATCH] Fix calloc-related code to prevent SIZE_MAX redefinition in sys headers
* malloc.c: Include limits.h for SIZE_MAX.
* malloc.c (SIZE_MAX, calloc): Define GC_SIZE_MAX instead of SIZE_MAX.
---
malloc.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/malloc.c b/malloc.c
index 899d6ff..cb49a5c 100644
--- a/malloc.c
+++ b/malloc.c
@@ -374,12 +374,16 @@ void * malloc(size_t lb)
}
#endif /* GC_LINUX_THREADS */
-#ifndef SIZE_MAX
-#define SIZE_MAX (~(size_t)0)
+#include
From 83231d0ab5ed60015797c3d1ad9056295ac3b2bb Mon Sep 17 00:00:00 2001 From: Hans Boehm
Date: Thu, 15 Mar 2012 21:09:05 +0400 Subject: [PATCH] Speedup calloc size overflow check by preventing division if small values
* malloc.c (GC_SQRT_SIZE_MAX): New macro. * malloc.c (calloc): Add fast initial size overflow check to avoid integer division for reasonably small values passed. --- malloc.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/malloc.c b/malloc.c index cb49a5c..c9b9eb6 100644 --- a/malloc.c +++ b/malloc.c @@ -381,9 +381,12 @@ void * malloc(size_t lb) # define GC_SIZE_MAX (~(size_t)0) #endif +#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1) + void * calloc(size_t n, size_t lb) { - if (lb && n > GC_SIZE_MAX / lb) + if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */ + && lb && n > GC_SIZE_MAX / lb) return NULL; # if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */ /* libpthread allocated some memory that is only pointed to by */ -- 1.7.7 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de