blob: 2796c3b9b3cd11e5eac273ef2857fdbb47980c84 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
BASH PATCH REPORT
=================
Bash-Release: 5.1
Patch-ID: bash51-009
Bug-Reported-by: Julien Moutinho <julm+bash@sourcephile.fr>
Bug-Reference-ID: <20211004035906.5kiobuzkpeckmvwg@sourcephile.fr>
Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2021-10/msg00022.html
Bug-Description:
The bash malloc implementation of malloc_usable_size() does not follow the
specification. This can cause library functions that use it to overwrite
memory bounds checking.
Patch (apply with `patch -p0'):
*** ../bash-5.1-patched/lib/malloc/malloc.c 2020-07-08 10:19:30.000000000 -0400
--- lib/malloc/malloc.c 2021-10-05 16:10:55.000000000 -0400
***************
*** 1287,1297 ****
}
! /* XXX - should we return 0 if ISFREE? */
! maxbytes = binsize(p->mh_index);
!
! /* So the usable size is the maximum number of bytes in the bin less the
! malloc overhead */
! maxbytes -= MOVERHEAD + MSLOP;
! return (maxbytes);
}
--- 1358,1367 ----
}
! /* return 0 if ISFREE */
! if (p->mh_alloc == ISFREE)
! return 0;
!
! /* Since we use bounds checking, the usable size is the last requested size. */
! return (p->mh_nbytes);
}
*** ../bash-5.1/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
--- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 8
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 9
#endif /* _PATCHLEVEL_H_ */
|
