Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-6485

Source

Debian Bug report logs - #878159
glibc: CVE-2018-6485: Integer overflow in posix_memalign

Package: libc6; Maintainer for libc6 is GNU Libc Maintainers <debian-glibc@lists.debian.org>; Source for libc6 is src:glibc (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@jwilk.net>

Date: Tue, 10 Oct 2017 15:21:01 UTC

Severity: minor

Tags: fixed-upstream, security, upstream

Found in versions glibc/2.24-17, glibc/2.19-18

Fixed in version glibc/2.26.9000+20180127.7e23a7dd-0experimental0

Forwarded to https://sourceware.org/bugzilla/show_bug.cgi?id=22343

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#878159; Package libc6. (Tue, 10 Oct 2017 15:21:04 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libc6
Version: 2.24-17

Some posix_memalign() calls fail catastrophically:

  $ grep memalign test-posix-memalign.c
       return posix_memalign(&p, 0x10, SIZE_MAX - 0x20);

  $ make test-posix-memalign
  cc     test-posix-memalign.c   -o test-posix-memalign

  $ ./test-posix-memalign
  *** Error in `./test-posix-memalign': free(): invalid next size (fast): 0x57a96008 ***
  ...

Backtrace:

#0  0xf7fd7dc9 in __kernel_vsyscall ()
#1  0xf7e2add0 in __libc_signal_restore_set (set=0xffffd160) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79
#2  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3  0xf7e2c297 in __GI_abort () at abort.c:89
#4  0xf7e6638f in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:175
#5  0xf7e6cfc7 in malloc_printerr (action=<optimized out>, str=0xf7f60318 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=0xf7fb2780 <main_arena>) at malloc.c:5049
#6  0xf7e6d806 in _int_free (av=av@entry=0xf7fb2780 <main_arena>, p=p@entry=0x56558000, have_lock=have_lock@entry=1) at malloc.c:3905
#7  0xf7e6f8c3 in _int_memalign (av=av@entry=0xf7fb2780 <main_arena>, alignment=alignment@entry=16, bytes=bytes@entry=4294967263) at malloc.c:4497
#8  0xf7e70eea in _mid_memalign (alignment=16, bytes=4294967263, address=<optimized out>) at malloc.c:3158
#9  0xf7e71028 in _mid_memalign (alignment=alignment@entry=16, bytes=bytes@entry=4294967263, address=<optimized out>) at malloc.c:3121
#10 0xf7e72b7f in __posix_memalign (memptr=0xffffd6ac, alignment=16, size=4294967263) at malloc.c:5071
#11 0x5655556b in main ()


-- System Information:
Architecture: i386

Versions of packages libc6 depends on:
ii  libgcc1  1:7.2.0-8


-- 
Jakub Wilk

Information forwarded to debian-bugs-dist@lists.debian.org, GNU Libc Maintainers <debian-glibc@lists.debian.org>:
Bug#878159; Package libc6. (Tue, 10 Oct 2017 15:27:07 GMT) (full text, mbox, link).

Message #6 received at 878159@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Adding forgotten attachment...

-- 
Jakub Wilk

[test-posix-memalign.c (text/x-csrc, attachment)]

Added tag(s) security. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 24 Oct 2017 08:30:03 GMT) (full text, mbox, link).

Severity set to 'minor' from 'normal' Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 24 Oct 2017 08:30:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://sourceware.org/bugzilla/show_bug.cgi?id=22343'. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Tue, 24 Oct 2017 08:30:04 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 29 Oct 2017 16:18:06 GMT) (full text, mbox, link).

Marked as found in versions glibc/2.19-18. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 01 Feb 2018 19:42:10 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 01 Feb 2018 19:42:12 GMT) (full text, mbox, link).

Changed Bug title to 'glibc: CVE-2018-6485: Integer overflow in posix_memalign' from 'libc6: posix_memalign(): free(): invalid next size (fast)'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 01 Feb 2018 19:42:15 GMT) (full text, mbox, link).

Marked as fixed in versions glibc/2.26.9000+20180127.7e23a7dd-0experimental0. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 02 Feb 2018 21:39:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:08:25 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

glibc: CVE-2018-6485: Integer overflow in posix_memalign

Debian Bug report logs - #878159
glibc: CVE-2018-6485: Integer overflow in posix_memalign

Vulmon Search

About

Products

Connect

glibc: CVE-2018-6485: Integer overflow in posix_memalign

Debian Bug report logs - #878159 glibc: CVE-2018-6485: Integer overflow in posix_memalign

Vulmon Search

About

Products

Connect

Debian Bug report logs - #878159
glibc: CVE-2018-6485: Integer overflow in posix_memalign