diff --git a/glibc-RHEL-141739.patch b/glibc-RHEL-141739.patch new file mode 100644 index 0000000..98fe129 --- /dev/null +++ b/glibc-RHEL-141739.patch @@ -0,0 +1,86 @@ +commit c9188d333717d3ceb7e3020011651f424f749f93 +Author: Siddhesh Poyarekar +Date: Thu Jan 15 06:06:40 2026 -0500 + + memalign: reinstate alignment overflow check (CVE-2026-0861) + + The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the + overflow check for alignment in memalign functions, _mid_memalign and + _int_memalign. Reinstate the overflow check in _int_memalign, aligned + with the PTRDIFF_MAX change since that is directly responsible for the + CVE. The missing _mid_memalign check is not relevant (and does not have + a security impact) and may need a different approach to fully resolve, + so it has been omitted. + + CVE-Id: CVE-2026-0861 + Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 + Reported-by: Igor Morgenstern, Aisle Research + Fixes: BZ #33796 + Reviewed-by: Wilco Dijkstra + Signed-off-by: Siddhesh Poyarekar + +Conflicts: + malloc/malloc.c + (old checked_request2size interface downstream) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index fe80b8239756a7c9..8d2ede60d93e433f 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -4815,7 +4815,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + + + +- if (!checked_request2size (bytes, &nb)) ++ if (!checked_request2size (bytes, &nb) || alignment > PTRDIFF_MAX) + { + __set_errno (ENOMEM); + return NULL; +@@ -4826,8 +4826,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + request, and then possibly free the leading and trailing space. + */ + +- /* Call malloc with worst case padding to hit alignment. */ +- ++ /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a ++ power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of ++ space to add MINSIZE and whatever checked_request2size adds to BYTES to ++ get NB. Consequently, total below also does not overflow. */ + m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); + + if (m == 0) +diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c +index 328b4a2a4fd72cf4..593381520c40cb84 100644 +--- a/malloc/tst-malloc-too-large.c ++++ b/malloc/tst-malloc-too-large.c +@@ -151,7 +151,6 @@ test_large_allocations (size_t size) + } + + +-static long pagesize; + + /* This function tests the following aligned memory allocation functions + using several valid alignments and precedes each allocation test with a +@@ -170,8 +169,8 @@ test_large_aligned_allocations (size_t size) + + /* All aligned memory allocation functions expect an alignment that is a + power of 2. Given this, we test each of them with every valid +- alignment from 1 thru PAGESIZE. */ +- for (align = 1; align <= pagesize; align *= 2) ++ alignment for the type of ALIGN, i.e. until it wraps to 0. */ ++ for (align = 1; align > 0; align <<= 1) + { + test_setup (); + #if __GNUC_PREREQ (7, 0) +@@ -264,11 +263,6 @@ do_test (void) + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); + #endif + +- /* Aligned memory allocation functions need to be tested up to alignment +- size equivalent to page size, which should be a power of 2. */ +- pagesize = sysconf (_SC_PAGESIZE); +- TEST_VERIFY_EXIT (powerof2 (pagesize)); +- + /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e. + in the range (SIZE_MAX - 2^14, SIZE_MAX], fail. +