From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-865-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 124944 invoked by alias); 2 Jan 2019 13:01:38 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 124933 invoked by uid 89); 2 Jan 2019 13:01:38 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=
X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 02 Jan 2019 13:01:36 +0000
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id B374664100	for <libc-stable@sourceware.org>; Wed,  2 Jan 2019 13:01:35 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (dhcp-192-219.str.redhat.com [10.33.192.219])	by smtp.corp.redhat.com (Postfix) with ESMTPS id 66F5E608C4	for <libc-stable@sourceware.org>; Wed,  2 Jan 2019 13:01:35 +0000 (UTC)
Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000)	id 37C8884153B8; Wed,  2 Jan 2019 14:01:34 +0100 (CET)
Date: Tue, 01 Jan 2019 00:00:00 -0000
To: libc-stable@sourceware.org
Subject: [2.24 COMMITTED] malloc: Always call memcpy in _int_realloc [BZ #24027]
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20190102130134.37C8884153B8@oldenburg2.str.redhat.com>
From: Florian Weimer <fweimer@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 02 Jan 2019 13:01:35 +0000 (UTC)
X-IsSubscribed: yes
X-SW-Source: 2019-01/txt/msg00001.txt.bz2

From: Florian Weimer <fw@deneb.enyo.de>

This commit removes the custom memcpy implementation from _int_realloc
for small chunk sizes.  The ncopies variable has the wrong type, and
an integer wraparound could cause the existing code to copy too few
elements (leaving the new memory region mostly uninitialized).
Therefore, removing this code fixes bug 24027.

(cherry picked from commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84)

2018-12-31  Florian Weimer  <fw@deneb.enyo.de>

	[BZ #24027]
	* malloc/malloc.c (_int_realloc): Always call memcpy for the
	copying operation.  (ncopies had the wrong type, resulting in an
	integer wraparound and too few elements being copied.)

diff --git a/NEWS b/NEWS
index d5868b2e09..f7536ac0d9 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,7 @@ The following bugs are resolved with this release:
     to SSIZE_MAX (CVE-2018-11236)
   [23196] string: __mempcpy_avx512_no_vzeroupper mishandles large copies
     (CVE-2018-11237)
+  [24027] malloc: Integer overflow in realloc
 
 Version 2.24
 
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f5f166ea2..8a1321d292 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4271,11 +4271,6 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
   mchunkptr        bck;             /* misc temp for linking */
   mchunkptr        fwd;             /* misc temp for linking */
 
-  unsigned long    copysize;        /* bytes to copy */
-  unsigned int     ncopies;         /* INTERNAL_SIZE_T words to copy */
-  INTERNAL_SIZE_T* s;               /* copy source */
-  INTERNAL_SIZE_T* d;               /* copy destination */
-
   const char *errstr = NULL;
 
   /* oldmem size */
@@ -4353,43 +4348,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
             }
           else
             {
-              /*
-                 Unroll copy of <= 36 bytes (72 if 8byte sizes)
-                 We know that contents have an odd number of
-                 INTERNAL_SIZE_T-sized words; minimally 3.
-               */
-
-              copysize = oldsize - SIZE_SZ;
-              s = (INTERNAL_SIZE_T *) (chunk2mem (oldp));
-              d = (INTERNAL_SIZE_T *) (newmem);
-              ncopies = copysize / sizeof (INTERNAL_SIZE_T);
-              assert (ncopies >= 3);
-
-              if (ncopies > 9)
-                memcpy (d, s, copysize);
-
-              else
-                {
-                  *(d + 0) = *(s + 0);
-                  *(d + 1) = *(s + 1);
-                  *(d + 2) = *(s + 2);
-                  if (ncopies > 4)
-                    {
-                      *(d + 3) = *(s + 3);
-                      *(d + 4) = *(s + 4);
-                      if (ncopies > 6)
-                        {
-                          *(d + 5) = *(s + 5);
-                          *(d + 6) = *(s + 6);
-                          if (ncopies > 8)
-                            {
-                              *(d + 7) = *(s + 7);
-                              *(d + 8) = *(s + 8);
-                            }
-                        }
-                    }
-                }
-
+	      memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ);
               _int_free (av, oldp, 1);
               check_inuse_chunk (av, newp);
               return chunk2mem (newp);