Bug 853906 (CVE-2002-2439)

Summary: CVE-2002-2439 gcc: Integer overflow can occur during the computation of the memory region size for new[] operator
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, jakub, law, mfranc, mpolacek
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20020805,reported=20120831,source=oss-security,cvss2=3.7/AV:L/AC:H/Au:N/C:P/I:P/A:P,rhel-5/gcc=wontfix,rhel-5/gcc43=wontfix,rhel-5/gcc44=wontfix,rhel-5/compat-gcc-295=wontfix,rhel-5/compat-gcc-296=wontfix,rhel-5/compat-gcc-32=wontfix,rhel-5/compat-gcc-34=wontfix,rhel-6/gcc=wontfix,rhel-6/compat-gcc-295=wontfix,rhel-6/compat-gcc-296=wontfix,rhel-6/compat-gcc-32=wontfix,rhel-6/compat-gcc-34=wontfix,fedora-all/gcc=affected,fedora-all/compat-gcc-296=new,fedora-all/compat-gcc-32=new,fedora-all/compat-gcc-34=affected,rhel-7/gcc=notaffected,cwe=CWE-190[auto]
Fixed In Version: gcc 4.8.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-20 14:26:31 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 853918, 853919    
Bug Blocks: 853928    

Description Jan Lieskovsky 2012-09-03 05:54:49 EDT
It was reported that C++ new[] operator was previously missing integer overflow / wrap around checks for its arguments. If an application compiled with gcc accepted untrusted input for memory allocation and was missing application-level checks for integer overflows of arguments, provided to the new[] operator, an attacker could use this flaw to cause the memory region, allocated in the end for the new[] operator statement, it to be smaller than truly required, possibly leading to heap-based buffer overflows.

Upstream bug report:
[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351

Upstream patches:
[2] http://gcc.gnu.org/ml/gcc-patches/2012-06/msg01689.html
[3] http://gcc.gnu.org/ml/gcc-patches/2012-08/msg01416.html

References:
[4] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=35790
[5] http://cert.uni-stuttgart.de/ticker/advisories/calloc.html
Comment 1 Jan Lieskovsky 2012-09-03 06:16:07 EDT
This issue affects the versions of the gcc package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the versions of the compat-gcc-34 packages, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-09-03 06:17:34 EDT
Created compat-gcc-34 tracking bugs for this issue

Affects: fedora-all [bug 853919]
Comment 3 Jan Lieskovsky 2012-09-03 06:17:37 EDT
Created gcc tracking bugs for this issue

Affects: fedora-all [bug 853918]
Comment 4 Jan Lieskovsky 2012-09-03 06:19:02 EDT
Reproducer (from http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351#c0):
-----------------------------------------------------------------------

#include <testsuite_hooks.h>

struct foo
{
  char data[16];
  void* operator new[] (size_t size)
  {
    VERIFY(size != sizeof(foo));
    VERIFY (false);
    return malloc(size);
  }
};

int
main()
{
  size_t size = size_t (-1) / sizeof(foo) + 2;
  try
    {
      foo* f = new foo[size];
      VERIFY (f == 0);
      VERIFY (false);
    }
  catch(std::bad_alloc&)
    {
      return 0;
    }
}
Comment 7 Josh Bressers 2014-06-13 13:31:55 EDT
I'm going to close this bug. It's fixed upstream, but not something we can backport without creating issues.