Bug 1657582 - glibc: Integer overflow in realloc() allows for uninitialized memory
Summary: glibc: Integer overflow in realloc() allows for uninitialized memory
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1662841 1662842 1662843
Blocks: 1657583
TreeView+ depends on / blocked
 
Reported: 2018-12-10 03:08 UTC by Sam Fowler
Modified: 2021-02-16 22:40 UTC (History)
30 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-12-17 14:07:40 UTC
Embargoed:

Attachments (Terms of Use)
Proposed patch (2.02 KB, application/mbox)
2018-12-10 04:47 UTC, Sam Fowler 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Sourceware 24027 0 None None None 2019-03-01 17:02:53 UTC

Description Sam Fowler 2018-12-10 03:08:10 UTC 
glibc is vulnerable to an integer overflow when a malloc(>= 32 GiB) is increased via realloc() (and M_MMAP_THRESHOLD is set very large or mmap() based allocation is disabled entirely by setting M_MMAP_MAX=0). Only the first couple bytes of the buffer are copied, potentially leaving the majority of the returned buffer with unititialised memory instead of the original malloc()ed buffer's contents.  This may turn into a security problem if you rely on realloc() preserving the contents you wrote into the buffer after malloc().
Comment 1 Sam Fowler 2018-12-10 04:39:39 UTC 
Acknowledgments:

Name: Niklas Hambüchen
Comment 2 Sam Fowler 2018-12-10 04:47:12 UTC 
Created attachment 1512947 [details]
Proposed patch
Comment 12 Adam Mariš 2018-12-17 14:07:42 UTC 
Statement:

Red Hat Product Security does not consider this bug a vulnerability due to unlikelihood of exploiting this issue to cause a security impact.
Comment 13 nh2 2018-12-22 21:21:37 UTC 
Upstream issue at https://sourceware.org/bugzilla/show_bug.cgi?id=24027
Note You need to log in before you can comment on or make changes to this bug.