b333c27787
Relevant commits already backported; skipped from this sync: - elf: handle addition overflow in _dl_find_object_update_1 [BZ #32245] (glibc-RHEL-119398.patch) - Avoid uninitialized result in sem_open when file does not exist (glibc-RHEL-119392-1.patch) - Rename new tst-sem17 test to tst-sem18 (glibc-RHEL-119392-2.patch) - nss: Group merge does not react to ERANGE during merge (bug 33361) (glibc-RHEL-114265.patch) - AArch64: Fix instability in AdvSIMD tan (glibc-RHEL-118273-44.patch) RPM-Changelog: - Sync with upstream branch release/2.39/master (RHEL-126766) - Upstream commit: ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc - posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814) - resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) - memalign: reinstate alignment overflow check (CVE-2026-0861) - support: Exit on consistency check failure in resolv_response_add_name - support: Fix FILE * leak in check_for_unshare_hints in test-container - sprof: fix -Wformat warnings on 32-bit hosts - sprof: check pread size and offset for overflow - getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465] - nptl: Optimize trylock for high cache contention workloads (BZ #33704) - ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091) - ppc64le: Restore optimized strncmp for power10 - ppc64le: Restore optimized strcmp for power10 - AArch64: Optimise SVE scalar callbacks - aarch64: fix includes in SME tests - aarch64: fix cfi directives around __libc_arm_za_disable - aarch64: tests for SME - aarch64: clear ZA state of SME before clone and clone3 syscalls - aarch64: define macro for calling __libc_arm_za_disable - aarch64: update tests for SME - aarch64: Disable ZA state of SME in setjmp and sigsetjmp - linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996) - aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601) - x86: fix wmemset ifunc stray '!' (bug 33542) - x86: Detect Intel Nova Lake Processor - x86: Detect Intel Wildcat Lake Processor Resolves: RHEL-126766 Resolves: RHEL-45143 Resolves: RHEL-45145 Resolves: RHEL-142786 Resolves: RHEL-141852 Resolves: RHEL-141733
83 lines
3.4 KiB
Diff
83 lines
3.4 KiB
Diff
commit fb22fd3f5b415dd4cd6f7b5741c2f0412374e242
|
|
Author: Siddhesh Poyarekar <siddhesh@gotplt.org>
|
|
Date: Thu Jan 15 06:06:40 2026 -0500
|
|
|
|
memalign: reinstate alignment overflow check (CVE-2026-0861)
|
|
|
|
The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the
|
|
overflow check for alignment in memalign functions, _mid_memalign and
|
|
_int_memalign. Reinstate the overflow check in _int_memalign, aligned
|
|
with the PTRDIFF_MAX change since that is directly responsible for the
|
|
CVE. The missing _mid_memalign check is not relevant (and does not have
|
|
a security impact) and may need a different approach to fully resolve,
|
|
so it has been omitted.
|
|
|
|
CVE-Id: CVE-2026-0861
|
|
Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206
|
|
Reported-by: Igor Morgenstern, Aisle Research
|
|
Fixes: BZ #33796
|
|
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
|
|
Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
|
|
(cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
|
|
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
index 09dc60bf74c59945..e1aacde4ac94f53b 100644
|
|
--- a/malloc/malloc.c
|
|
+++ b/malloc/malloc.c
|
|
@@ -5049,7 +5049,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
|
|
INTERNAL_SIZE_T size;
|
|
|
|
nb = checked_request2size (bytes);
|
|
- if (nb == 0)
|
|
+ if (nb == 0 || alignment > PTRDIFF_MAX)
|
|
{
|
|
__set_errno (ENOMEM);
|
|
return NULL;
|
|
@@ -5065,7 +5065,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
|
|
we don't find anything in those bins, the common malloc code will
|
|
scan starting at 2x. */
|
|
|
|
- /* Call malloc with worst case padding to hit alignment. */
|
|
+ /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a
|
|
+ power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of
|
|
+ space to add MINSIZE and whatever checked_request2size adds to BYTES to
|
|
+ get NB. Consequently, total below also does not overflow. */
|
|
m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
|
|
|
|
if (m == NULL)
|
|
diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
|
|
index 2b91377e54cdc485..15b25cf01d482951 100644
|
|
--- a/malloc/tst-malloc-too-large.c
|
|
+++ b/malloc/tst-malloc-too-large.c
|
|
@@ -152,7 +152,6 @@ test_large_allocations (size_t size)
|
|
}
|
|
|
|
|
|
-static long pagesize;
|
|
|
|
/* This function tests the following aligned memory allocation functions
|
|
using several valid alignments and precedes each allocation test with a
|
|
@@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size)
|
|
|
|
/* All aligned memory allocation functions expect an alignment that is a
|
|
power of 2. Given this, we test each of them with every valid
|
|
- alignment from 1 thru PAGESIZE. */
|
|
- for (align = 1; align <= pagesize; align *= 2)
|
|
+ alignment for the type of ALIGN, i.e. until it wraps to 0. */
|
|
+ for (align = 1; align > 0; align <<= 1)
|
|
{
|
|
test_setup ();
|
|
#if __GNUC_PREREQ (7, 0)
|
|
@@ -265,11 +264,6 @@ do_test (void)
|
|
DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
|
|
#endif
|
|
|
|
- /* Aligned memory allocation functions need to be tested up to alignment
|
|
- size equivalent to page size, which should be a power of 2. */
|
|
- pagesize = sysconf (_SC_PAGESIZE);
|
|
- TEST_VERIFY_EXIT (powerof2 (pagesize));
|
|
-
|
|
/* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
|
|
in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
|
|
|