Short description: CVE-2015-5220: calloc() returns non-zeroed memory. Author(s): Ondrej Bilka Origin: git://sourceware.org/git/glibc.git Bug-RHEL: #1296453 (rhel-7.2.z), #1293976 (rhel-7.3), #1256285 (SRT) Bug-Fedora: NA Bug-Upstream: NA Upstream status: committed # # commit e8349efd466cfedc0aa98be61d88ca8795c9e565 # Author: Ondřej Bílka # Date: Mon Dec 9 17:25:19 2013 +0100 # # Simplify perturb_byte logic. # diff --git a/malloc/malloc.c b/malloc/malloc.c index 4821deb..ac8c3f6 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -1870,8 +1870,20 @@ static int check_action = DEFAULT_CHECK_ACTION; static int perturb_byte; -#define alloc_perturb(p, n) memset (p, (perturb_byte ^ 0xff) & 0xff, n) -#define free_perturb(p, n) memset (p, perturb_byte & 0xff, n) +static inline void +alloc_perturb (char *p, size_t n) +{ + if (__glibc_unlikely (perturb_byte)) + memset (p, perturb_byte ^ 0xff, n); +} + +static inline void +free_perturb (char *p, size_t n) +{ + if (__glibc_unlikely (perturb_byte)) + memset (p, perturb_byte, n); +} + #include @@ -3287,8 +3299,7 @@ _int_malloc(mstate av, size_t bytes) } check_remalloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } } @@ -3323,8 +3334,7 @@ _int_malloc(mstate av, size_t bytes) victim->size |= NON_MAIN_ARENA; check_malloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } } @@ -3403,8 +3413,7 @@ _int_malloc(mstate av, size_t bytes) check_malloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } @@ -3420,8 +3429,7 @@ _int_malloc(mstate av, size_t bytes) victim->size |= NON_MAIN_ARENA; check_malloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } @@ -3545,8 +3553,7 @@ _int_malloc(mstate av, size_t bytes) } check_malloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } } @@ -3649,8 +3656,7 @@ _int_malloc(mstate av, size_t bytes) } check_malloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } } @@ -3684,8 +3690,7 @@ _int_malloc(mstate av, size_t bytes) check_malloced_chunk(av, victim, nb); void *p = chunk2mem(victim); - if (__builtin_expect (perturb_byte, 0)) - alloc_perturb (p, bytes); + alloc_perturb (p, bytes); return p; } @@ -3705,7 +3710,7 @@ _int_malloc(mstate av, size_t bytes) */ else { void *p = sysmalloc(nb, av); - if (p != NULL && __builtin_expect (perturb_byte, 0)) + if (p != NULL) alloc_perturb (p, bytes); return p; } @@ -3798,8 +3803,7 @@ _int_free(mstate av, mchunkptr p, int have_lock) } } - if (__builtin_expect (perturb_byte, 0)) - free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); + free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); set_fastchunks(av); unsigned int idx = fastbin_index(size); @@ -3881,8 +3885,7 @@ _int_free(mstate av, mchunkptr p, int have_lock) goto errout; } - if (__builtin_expect (perturb_byte, 0)) - free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); + free_perturb (chunk2mem(p), size - 2 * SIZE_SZ); /* consolidate backward */ if (!prev_inuse(p)) {