Bug 1657582

Summary: glibc: Integer overflow in realloc() allows for uninitialized memory
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, amaris, aoliva, arjun.is, ashankar, bmcclain, codonell, dbaker, dblechte, dfediuck, dj, eedri, fweimer, glibc-bugzilla, jokerman, law, mfabian, mgoldboi, michal.skrivanek, mnewsome, nh2-redhatbugzilla, pfrankli, rth, sbonazzo, security-response-team, sherold, siddhesh, sthangav, tcallawa, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-17 14:07:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1662841, 1662842, 1662843    
Bug Blocks: 1657583    
Attachments:
Description Flags
Proposed patch none

Description Sam Fowler 2018-12-10 03:08:10 UTC 
glibc is vulnerable to an integer overflow when a malloc(>= 32 GiB) is increased via realloc() (and M_MMAP_THRESHOLD is set very large or mmap() based allocation is disabled entirely by setting M_MMAP_MAX=0). Only the first couple bytes of the buffer are copied, potentially leaving the majority of the returned buffer with unititialised memory instead of the original malloc()ed buffer's contents.  This may turn into a security problem if you rely on realloc() preserving the contents you wrote into the buffer after malloc().
Comment 1 Sam Fowler 2018-12-10 04:39:39 UTC 
Acknowledgments:

Name: Niklas Hambüchen
Comment 2 Sam Fowler 2018-12-10 04:47:12 UTC 
Created attachment 1512947 [details]
Proposed patch
Comment 12 Adam Mariš 2018-12-17 14:07:42 UTC 
Statement:

Red Hat Product Security does not consider this bug a vulnerability due to unlikelihood of exploiting this issue to cause a security impact.
Comment 13 nh2 2018-12-22 21:21:37 UTC 
Upstream issue at https://sourceware.org/bugzilla/show_bug.cgi?id=24027