This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] Check for overflow in __alloc_dir
- From: Florian Weimer <fweimer at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Thu, 11 Oct 2012 17:15:50 +0200
- Subject: [PATCH] Check for overflow in __alloc_dir
In __alloc_dir in sysdeps/posix/opendir.c, the st_blksize member can
contain a large value from a source which is not necessarily trusted.
Therefore, we should check that the addition does not overflow and fall
back to default_allocation in that case.
Built and regression-tested on x86_64-redhat-linux-gnu. This is
difficult to test because it requires file system support.
--
Florian Weimer / Red Hat Product Security Team
2012-10-11 Florian Weimer <fweimer@redhat.com>
* sysdeps/posix/opendir.c (__alloc_dir): Check for overflow in
size calculation.
>From 50bf1c9ec9c65ba257b9ebf8639e572a01a70cf2 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 11 Oct 2012 16:46:01 +0200
Subject: [PATCH] __aloc_dir: check for integer overflow in malloc argument
---
sysdeps/posix/opendir.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
index e093142..b056ee3 100644
--- a/sysdeps/posix/opendir.c
+++ b/sysdeps/posix/opendir.c
@@ -1,5 +1,4 @@
-/* Copyright (C) 1991-1996,98,2000-2003,2005,2007,2009,2011
- Free Software Foundation, Inc.
+/* Copyright (C) 1991-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@@ -193,7 +192,12 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
size_t allocation = default_allocation;
#ifdef _STATBUF_ST_BLKSIZE
if (statp != NULL && default_allocation < statp->st_blksize)
- allocation = statp->st_blksize;
+ {
+ allocation = statp->st_blksize;
+ /* This checks for overflow in the malloc argument below. */
+ if (sizeof (DIR) + allocation < sizeof (DIR))
+ allocation = default_allocation;
+ }
#endif
DIR *dirp = (DIR *) malloc (sizeof (DIR) + allocation);
--
1.7.11.7