Bug 957089 - glibc: a bug in the patch for RHBZ#951493
Summary: glibc: a bug in the patch for RHBZ#951493
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc
Version: 5.9
Hardware: Unspecified
OS: Linux
high
unspecified
Target Milestone: rc
: ---
Assignee: Patsy Griffin
QA Contact: Arjun Shankar
URL:
Whiteboard:
Depends On:
Blocks: 963813
TreeView+ depends on / blocked
 
Reported: 2013-04-26 10:33 UTC by Tetsuo Handa
Modified: 2016-11-24 15:42 UTC (History)
10 users (show)

Fixed In Version: glibc-2.5-117
Doc Type: Bug Fix
Doc Text:
Cause: A recent change to the C library localization code (BZ#951493) introduced a case where a pointer was not checked for NULL prior to being accessed. Consequence: This could result in a program crashing. Fix/Result: A check has been added to ensure that the pointer is non-NULL before accessing it, preventing a possible program crash. (BZ#957089/BZ#816647)
Clone Of:
Environment:
Last Closed: 2013-09-30 22:18:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch for avoiding NULL pointer dereference (655 bytes, patch)
2013-04-30 13:43 UTC, Tetsuo Handa 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1308 0 normal SHIPPED_LIVE glibc bug fix update 2013-09-30 21:13:32 UTC

Description Tetsuo Handa 2013-04-26 10:33:05 UTC 
Version-Release number of selected component (if applicable):

glibc-2.5-107.el5_9.4

Description of problem:

newmem != NULL check is needed before accessing newmem->next.
(Described in the comment below.)

--- old/intl/dcigettext.c
+++ new/intl/dcigettext.c
@@ -1155,50 +1155,51 @@ _nl_find_msg (domain_file, domainbinding
                resize_freemem:
                  /* We must allocate a new buffer or resize the old one.  */
                  if (malloc_count > 0)
                    {
                      ++malloc_count;
                      freemem_size = malloc_count * INITIAL_BLOCK_SIZE;
                      newmem = (transmem_block_t *) realloc (transmem_list,
                                                             freemem_size);
 # ifdef _LIBC
                      if (newmem != NULL)
-                       transmem_list = transmem_list->next;
+                       transmem_list = newmem;
                      else
                        {
                          struct transmem_list *old = transmem_list;

                          transmem_list = transmem_list->next;
                          free (old);
                        }
 # endif
                    }
                  else
                    {
                      malloc_count = 1;
                      freemem_size = INITIAL_BLOCK_SIZE;
                      newmem = (transmem_block_t *) malloc (freemem_size);
+# ifdef _LIBC
+                     /* Add the block to the list of blocks we have to free
+                        at some point.  */
+                     newmem->next = transmem_list; /***** Need newmem!=NULL check first.*****/
+                     transmem_list = newmem;
+# endif
                    }
                  if (__builtin_expect (newmem == NULL, 0))
                    {
                      freemem = NULL;
                      freemem_size = 0;
                      __libc_lock_unlock (lock);
                      return (char *) -1;
                    }

 # ifdef _LIBC
-                 /* Add the block to the list of blocks we have to free
-                    at some point.  */
-                 newmem->next = transmem_list;
-                 transmem_list = newmem;
-
                  freemem = (unsigned char *) newmem->data;
                  freemem_size -= offsetof (struct transmem_list, data);
 # else
                  transmem_list = newmem;
                  freemem = newmem;
 # endif

                  outbuf = freemem + sizeof (size_t);
                }
Comment 1 Tetsuo Handa 2013-04-30 13:43:57 UTC 
Created attachment 741879 [details]
Patch for avoiding NULL pointer dereference

> * Fri Apr 12 2013 Siddhesh Poyarekar <siddhesh> - 2.5-107.4
>   - Add missing patch to avoid use after free (#816647).

Unfortunately, glibc-rh816647-2.patch introduced NULL pointer dereference when
initial malloc() fails. We have to check that malloc() has succeeded before
accessing it.
Comment 5 RHEL Program Management 2013-05-01 16:58:46 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 16 errata-xmlrpc 2013-09-30 22:18:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1308.html
Note You need to log in before you can comment on or make changes to this bug.