From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-867-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 125324 invoked by alias); 2 Jan 2019 13:01:46 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 125312 invoked by uid 89); 2 Jan 2019 13:01:45 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=
X-Spam-Status: No, score=-25.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 02 Jan 2019 13:01:44 +0000
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id 32D93C074550	for <libc-stable@sourceware.org>; Wed,  2 Jan 2019 13:01:43 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (dhcp-192-219.str.redhat.com [10.33.192.219])	by smtp.corp.redhat.com (Postfix) with ESMTPS id 007DD19C65	for <libc-stable@sourceware.org>; Wed,  2 Jan 2019 13:01:42 +0000 (UTC)
Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000)	id C51FB84153B8; Wed,  2 Jan 2019 14:01:41 +0100 (CET)
Date: Tue, 01 Jan 2019 00:00:00 -0000
To: libc-stable@sourceware.org
Subject: [2.26 COMMITTED] malloc: Always call memcpy in _int_realloc [BZ #24027]
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20190102130141.C51FB84153B8@oldenburg2.str.redhat.com>
From: Florian Weimer <fweimer@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 02 Jan 2019 13:01:43 +0000 (UTC)
X-IsSubscribed: yes
X-SW-Source: 2019-01/txt/msg00003.txt.bz2

From: Florian Weimer <fw@deneb.enyo.de>

This commit removes the custom memcpy implementation from _int_realloc
for small chunk sizes.  The ncopies variable has the wrong type, and
an integer wraparound could cause the existing code to copy too few
elements (leaving the new memory region mostly uninitialized).
Therefore, removing this code fixes bug 24027.

(cherry picked from commit b50dd3bc8cbb1efe85399b03d7e6c0310c2ead84)

2018-12-31  Florian Weimer  <fw@deneb.enyo.de>

	[BZ #24027]
	* malloc/malloc.c (_int_realloc): Always call memcpy for the
	copying operation.  (ncopies had the wrong type, resulting in an
	integer wraparound and too few elements being copied.)

diff --git a/NEWS b/NEWS
index f6d26425ff..ef857b6e6c 100644
--- a/NEWS
+++ b/NEWS
@@ -163,6 +163,7 @@ The following bugs are resolved with this release:
   [23579] libc: Errors misreported in preadv2
   [23709] Fix CPU string flags for Haswell-type CPUs
   [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
+  [24027] malloc: Integer overflow in realloc
 
 Version 2.26
 
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 862337466e..49e8ed69c2 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4528,11 +4528,6 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
   mchunkptr        bck;             /* misc temp for linking */
   mchunkptr        fwd;             /* misc temp for linking */
 
-  unsigned long    copysize;        /* bytes to copy */
-  unsigned int     ncopies;         /* INTERNAL_SIZE_T words to copy */
-  INTERNAL_SIZE_T* s;               /* copy source */
-  INTERNAL_SIZE_T* d;               /* copy destination */
-
   /* oldmem size */
   if (__builtin_expect (chunksize_nomask (oldp) <= 2 * SIZE_SZ, 0)
       || __builtin_expect (oldsize >= av->system_mem, 0))
@@ -4600,43 +4595,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
             }
           else
             {
-              /*
-                 Unroll copy of <= 36 bytes (72 if 8byte sizes)
-                 We know that contents have an odd number of
-                 INTERNAL_SIZE_T-sized words; minimally 3.
-               */
-
-              copysize = oldsize - SIZE_SZ;
-              s = (INTERNAL_SIZE_T *) (chunk2mem (oldp));
-              d = (INTERNAL_SIZE_T *) (newmem);
-              ncopies = copysize / sizeof (INTERNAL_SIZE_T);
-              assert (ncopies >= 3);
-
-              if (ncopies > 9)
-                memcpy (d, s, copysize);
-
-              else
-                {
-                  *(d + 0) = *(s + 0);
-                  *(d + 1) = *(s + 1);
-                  *(d + 2) = *(s + 2);
-                  if (ncopies > 4)
-                    {
-                      *(d + 3) = *(s + 3);
-                      *(d + 4) = *(s + 4);
-                      if (ncopies > 6)
-                        {
-                          *(d + 5) = *(s + 5);
-                          *(d + 6) = *(s + 6);
-                          if (ncopies > 8)
-                            {
-                              *(d + 7) = *(s + 7);
-                              *(d + 8) = *(s + 8);
-                            }
-                        }
-                    }
-                }
-
+	      memcpy (newmem, chunk2mem (oldp), oldsize - SIZE_SZ);
               _int_free (av, oldp, 1);
               check_inuse_chunk (av, newp);
               return chunk2mem (newp);