powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1036 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 5f46da4525
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5f46da4525'
${ noResults }
base/SOURCES/glibc-rh1293976.patch

140 lines
3.8 KiB
Raw Blame History

Short description: CVE-2015-5220: calloc() returns non-zeroed memory.
Author(s): Ondrej Bilka
Origin: git://sourceware.org/git/glibc.git
Bug-RHEL: #1296453 (rhel-7.2.z), #1293976 (rhel-7.3), #1256285 (SRT)
Bug-Fedora: NA
Bug-Upstream: NA
Upstream status: committed
#
# commit e8349efd466cfedc0aa98be61d88ca8795c9e565
# Author: Ondřej Bílka <neleai@seznam.cz>
# Date: Mon Dec 9 17:25:19 2013 +0100
#
# Simplify perturb_byte logic.
#
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 4821deb..ac8c3f6 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1870,8 +1870,20 @@ static int check_action = DEFAULT_CHECK_ACTION;
static int perturb_byte;
-#define alloc_perturb(p, n) memset (p, (perturb_byte ^ 0xff) & 0xff, n)
-#define free_perturb(p, n) memset (p, perturb_byte & 0xff, n)
+static inline void
+alloc_perturb (char *p, size_t n)
+{
+ if (__glibc_unlikely (perturb_byte))
+ memset (p, perturb_byte ^ 0xff, n);
+}
+
+static inline void
+free_perturb (char *p, size_t n)
+{
+ if (__glibc_unlikely (perturb_byte))
+ memset (p, perturb_byte, n);
+}
+
#include <stap-probe.h>
@@ -3287,8 +3299,7 @@ _int_malloc(mstate av, size_t bytes)
}
check_remalloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
}
@@ -3323,8 +3334,7 @@ _int_malloc(mstate av, size_t bytes)
victim->size |= NON_MAIN_ARENA;
check_malloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
}
@@ -3403,8 +3413,7 @@ _int_malloc(mstate av, size_t bytes)
check_malloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
@@ -3420,8 +3429,7 @@ _int_malloc(mstate av, size_t bytes)
victim->size |= NON_MAIN_ARENA;
check_malloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
@@ -3545,8 +3553,7 @@ _int_malloc(mstate av, size_t bytes)
}
check_malloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
}
@@ -3649,8 +3656,7 @@ _int_malloc(mstate av, size_t bytes)
}
check_malloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
}
@@ -3684,8 +3690,7 @@ _int_malloc(mstate av, size_t bytes)
check_malloced_chunk(av, victim, nb);
void *p = chunk2mem(victim);
- if (__builtin_expect (perturb_byte, 0))
- alloc_perturb (p, bytes);
+ alloc_perturb (p, bytes);
return p;
}
@@ -3705,7 +3710,7 @@ _int_malloc(mstate av, size_t bytes)
*/
else {
void *p = sysmalloc(nb, av);
- if (p != NULL && __builtin_expect (perturb_byte, 0))
+ if (p != NULL)
alloc_perturb (p, bytes);
return p;
}
@@ -3798,8 +3803,7 @@ _int_free(mstate av, mchunkptr p, int have_lock)
}
}
- if (__builtin_expect (perturb_byte, 0))
- free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);
+ free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);
set_fastchunks(av);
unsigned int idx = fastbin_index(size);
@@ -3881,8 +3885,7 @@ _int_free(mstate av, mchunkptr p, int have_lock)
goto errout;
}
- if (__builtin_expect (perturb_byte, 0))
- free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);
+ free_perturb (chunk2mem(p), size - 2 * SIZE_SZ);
/* consolidate backward */
if (!prev_inuse(p)) {