From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 32548 invoked by alias); 29 Aug 2012 17:11:28 -0000 Received: (qmail 32536 invoked by uid 22791); 29 Aug 2012 17:11:26 -0000 X-SWARE-Spam-Status: No, hits=-3.6 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 X-Spam-Check-By: sourceware.org Received: from localhost (HELO gcc.gnu.org) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 29 Aug 2012 17:11:13 +0000 From: "fw at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug other/54411] New: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) Date: Wed, 29 Aug 2012 17:11:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: other X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fw at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: fw at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-bugs-owner@gcc.gnu.org X-SW-Source: 2012-08/txt/msg01939.txt.bz2 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=54411 Bug #: 54411 Summary: libiberty: objalloc_alloc integer overflows (CVE-2012-3509) Classification: Unclassified Product: gcc Version: unknown Status: UNCONFIRMED Severity: normal Priority: P3 Component: other AssignedTo: fw@gcc.gnu.org ReportedBy: fw@gcc.gnu.org Sang Kil Cha discovered that _objalloc_alloc does not guard the addition of CHUNK_HEADER_SIZE to the length against overflow. This can cause _objalloc_alloc to return a pointer to a memory region which is smaller than expected. The pointer alignment arithmetic in the objalloc_alloc macro misses an overflow check as well, with similar consequences.