From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17610 invoked by alias); 17 May 2018 12:43:53 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 17270 invoked by uid 89); 17 May 2018 12:43:52 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS,URIBL_RED autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS,URIBL_RED autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 17 May 2018 12:43:50 +0000 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AF709D5983 for ; Thu, 17 May 2018 12:43:49 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.36.118.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7DE505EDE1 for ; Thu, 17 May 2018 12:43:49 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id DDDAD43985E65; Thu, 17 May 2018 14:43:48 +0200 (CEST) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.26 COMMITTED] Fix signed integer overflow in random_r (bug 17343). User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20180517124348.DDDAD43985E65@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 17 May 2018 12:43:49 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-05/txt/msg00032.txt.bz2 From: Joseph Myers Bug 17343 reports that stdlib/random_r.c has code with undefined behavior because of signed integer overflow on int32_t. This patch changes the code so that the possibly overflowing computations use unsigned arithmetic instead. Note that the bug report refers to "Most code" in that file. The places changed in this patch are the only ones I found where I think such overflow can occur. Tested for x86_64 and x86. [BZ #17343] * stdlib/random_r.c (__random_r): Use unsigned arithmetic for possibly overflowing computations. (cherry picked from commit 8a07b0c43c46a480da070efd53a2720195e2256f) 2018-03-20 Joseph Myers [BZ #17343] * stdlib/random_r.c (__random_r): Use unsigned arithmetic for possibly overflowing computations. diff --git a/NEWS b/NEWS index 106c7e0a73..7c1526004f 100644 --- a/NEWS +++ b/NEWS @@ -74,6 +74,7 @@ Security related changes: The following bugs are resolved with this release: [16750] ldd: Never run file directly. + [17343] Fix signed integer overflow in random_r [17956] crypt: Use NSPR header files in addition to NSS header files [20532] getaddrinfo: More robust handling of dlopen failures [21242] assert: Suppress pedantic warning caused by statement expression diff --git a/stdlib/random_r.c b/stdlib/random_r.c index c3f6f9aede..150fa9bb34 100644 --- a/stdlib/random_r.c +++ b/stdlib/random_r.c @@ -361,8 +361,7 @@ __random_r (struct random_data *buf, int32_t *result) if (buf->rand_type == TYPE_0) { - int32_t val = state[0]; - val = ((state[0] * 1103515245) + 12345) & 0x7fffffff; + int32_t val = ((state[0] * 1103515245U) + 12345U) & 0x7fffffff; state[0] = val; *result = val; } @@ -371,11 +370,11 @@ __random_r (struct random_data *buf, int32_t *result) int32_t *fptr = buf->fptr; int32_t *rptr = buf->rptr; int32_t *end_ptr = buf->end_ptr; - int32_t val; + uint32_t val; - val = *fptr += *rptr; + val = *fptr += (uint32_t) *rptr; /* Chucking least random bit. */ - *result = (val >> 1) & 0x7fffffff; + *result = val >> 1; ++fptr; if (fptr >= end_ptr) {