public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
@ 2012-08-29 17:11 fw at gcc dot gnu.org
2012-08-29 17:12 ` [Bug other/54411] " fw at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: fw at gcc dot gnu.org @ 2012-08-29 17:11 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
Bug #: 54411
Summary: libiberty: objalloc_alloc integer overflows
(CVE-2012-3509)
Classification: Unclassified
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
AssignedTo: fw@gcc.gnu.org
ReportedBy: fw@gcc.gnu.org
Sang Kil Cha discovered that _objalloc_alloc does not guard the addition of
CHUNK_HEADER_SIZE to the length against overflow. This can cause
_objalloc_alloc to return a pointer to a memory region which is smaller than
expected.
The pointer alignment arithmetic in the objalloc_alloc macro misses an overflow
check as well, with similar consequences.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/54411] libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
2012-08-29 17:11 [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) fw at gcc dot gnu.org
@ 2012-08-29 17:12 ` fw at gcc dot gnu.org
2012-08-29 19:10 ` joseph at codesourcery dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: fw at gcc dot gnu.org @ 2012-08-29 17:12 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
Florian Weimer <fw at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |ASSIGNED
Last reconfirmed| |2012-08-29
Ever Confirmed|0 |1
--- Comment #1 from Florian Weimer <fw at gcc dot gnu.org> 2012-08-29 17:12:02 UTC ---
I'll come up with a patch for both issues (I don't think there is one yet).
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/54411] libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
2012-08-29 17:11 [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) fw at gcc dot gnu.org
2012-08-29 17:12 ` [Bug other/54411] " fw at gcc dot gnu.org
@ 2012-08-29 19:10 ` joseph at codesourcery dot com
2012-08-29 19:19 ` fw at gcc dot gnu.org
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: joseph at codesourcery dot com @ 2012-08-29 19:10 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
--- Comment #2 from joseph at codesourcery dot com <joseph at codesourcery dot com> 2012-08-29 19:09:55 UTC ---
You do realise that pretty much nothing in the toolchain checks for
overflows in calculating allocation sizes? If you want to fix such
issues more systematically, the macros in libiberty.h such as XNEWVEC
would be a good starting point in which to insert overflow checks, but
there will be loads of other places affected as well.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/54411] libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
2012-08-29 17:11 [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) fw at gcc dot gnu.org
2012-08-29 17:12 ` [Bug other/54411] " fw at gcc dot gnu.org
2012-08-29 19:10 ` joseph at codesourcery dot com
@ 2012-08-29 19:19 ` fw at gcc dot gnu.org
2012-08-29 21:29 ` joseph at codesourcery dot com
2012-09-18 8:34 ` fw at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: fw at gcc dot gnu.org @ 2012-08-29 19:19 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
--- Comment #3 from Florian Weimer <fw at gcc dot gnu.org> 2012-08-29 19:18:58 UTC ---
(In reply to comment #2)
> You do realise that pretty much nothing in the toolchain checks for
> overflows in calculating allocation sizes?
bfd_alloc2 (bfd's XNEWVEC variant) contains an overflow check, and this bug
defeats it.
Your point about XNEWVEC is appreciated, but this is a different bug. 8-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/54411] libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
2012-08-29 17:11 [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) fw at gcc dot gnu.org
` (2 preceding siblings ...)
2012-08-29 19:19 ` fw at gcc dot gnu.org
@ 2012-08-29 21:29 ` joseph at codesourcery dot com
2012-09-18 8:34 ` fw at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: joseph at codesourcery dot com @ 2012-08-29 21:29 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
--- Comment #4 from joseph at codesourcery dot com <joseph at codesourcery dot com> 2012-08-29 21:29:12 UTC ---
On Wed, 29 Aug 2012, fw at gcc dot gnu.org wrote:
> > You do realise that pretty much nothing in the toolchain checks for
> > overflows in calculating allocation sizes?
>
> bfd_alloc2 (bfd's XNEWVEC variant) contains an overflow check, and this bug
> defeats it.
>
> Your point about XNEWVEC is appreciated, but this is a different bug. 8-)
My point is that there are probably hundreds of such bugs in the toolchain
sources (and lots more bugs where BFD and GDB fail to handle invalid
input); XNEWVEC is just an example of one that's comparatively easy to
find and fix (but I'm sure plenty more are easy to find for anyone going
looking for them).
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug other/54411] libiberty: objalloc_alloc integer overflows (CVE-2012-3509)
2012-08-29 17:11 [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) fw at gcc dot gnu.org
` (3 preceding siblings ...)
2012-08-29 21:29 ` joseph at codesourcery dot com
@ 2012-09-18 8:34 ` fw at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: fw at gcc dot gnu.org @ 2012-09-18 8:34 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411
--- Comment #5 from Florian Weimer <fw at gcc dot gnu.org> 2012-09-18 08:34:12 UTC ---
Author: fw
Date: Tue Sep 18 08:34:05 2012
New Revision: 191413
URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=191413
Log:
PR other/54411: integer overflow in objalloc_alloc
2012-09-18 Florian Weimer <fweimer@redhat.com>
PR other/54411
* objalloc.h (objalloc_alloc): Do not use fast path on wraparound.
2012-09-18 Florian Weimer <fweimer@redhat.com>
PR other/54411
* objalloc.c (_objalloc_alloc): Add overflow check covering
alignment and CHUNK_HEADER_SIZE addition.
Modified:
trunk/include/ChangeLog
trunk/include/objalloc.h
trunk/libiberty/ChangeLog
trunk/libiberty/objalloc.c
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-09-18 8:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-29 17:11 [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) fw at gcc dot gnu.org
2012-08-29 17:12 ` [Bug other/54411] " fw at gcc dot gnu.org
2012-08-29 19:10 ` joseph at codesourcery dot com
2012-08-29 19:19 ` fw at gcc dot gnu.org
2012-08-29 21:29 ` joseph at codesourcery dot com
2012-09-18 8:34 ` fw at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).