--- /dev/null
+From b0ec8fb689df862171f0f78994a3bdeb51313545 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@gotplt.org>
+Date: Thu, 15 Jan 2026 06:06:40 -0500
+Subject: [PATCH] memalign: reinstate alignment overflow check (CVE-2026-0861)
+
+The change to cap valid sizes to PTRDIFF_MAX inadvertently dropped the
+overflow check for alignment in memalign functions, _mid_memalign and
+_int_memalign. Reinstate the overflow check in _int_memalign, aligned
+with the PTRDIFF_MAX change since that is directly responsible for the
+CVE. The missing _mid_memalign check is not relevant (and does not have
+a security impact) and may need a different approach to fully resolve,
+so it has been omitted.
+
+CVE-Id: CVE-2026-0861
+Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206
+Reported-by: Igor Morgenstern, Aisle Research
+Fixes: BZ #33796
+Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>
+Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
+(cherry picked from commit c9188d333717d3ceb7e3020011651f424f749f93)
+---
+ malloc/malloc.c | 7 +++++--
+ malloc/tst-malloc-too-large.c | 10 ++--------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 5f3e701fd1..1d5aa304d3 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -5167,7 +5167,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+ INTERNAL_SIZE_T size;
+
+ nb = checked_request2size (bytes);
+- if (nb == 0)
++ if (nb == 0 || alignment > PTRDIFF_MAX)
+ {
+ __set_errno (ENOMEM);
+ return NULL;
+@@ -5183,7 +5183,10 @@ _int_memalign (mstate av, size_t alignment, size_t bytes)
+ we don't find anything in those bins, the common malloc code will
+ scan starting at 2x. */
+
+- /* Call malloc with worst case padding to hit alignment. */
++ /* Call malloc with worst case padding to hit alignment. ALIGNMENT is a
++ power of 2, so it tops out at (PTRDIFF_MAX >> 1) + 1, leaving plenty of
++ space to add MINSIZE and whatever checked_request2size adds to BYTES to
++ get NB. Consequently, total below also does not overflow. */
+ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE));
+
+ if (m == NULL)
+diff --git a/malloc/tst-malloc-too-large.c b/malloc/tst-malloc-too-large.c
+index a548a37b46..a1bda673a3 100644
+--- a/malloc/tst-malloc-too-large.c
++++ b/malloc/tst-malloc-too-large.c
+@@ -152,7 +152,6 @@ test_large_allocations (size_t size)
+ }
+
+
+-static long pagesize;
+
+ /* This function tests the following aligned memory allocation functions
+ using several valid alignments and precedes each allocation test with a
+@@ -171,8 +170,8 @@ test_large_aligned_allocations (size_t size)
+
+ /* All aligned memory allocation functions expect an alignment that is a
+ power of 2. Given this, we test each of them with every valid
+- alignment from 1 thru PAGESIZE. */
+- for (align = 1; align <= pagesize; align *= 2)
++ alignment for the type of ALIGN, i.e. until it wraps to 0. */
++ for (align = 1; align > 0; align <<= 1)
+ {
+ test_setup ();
+ #if __GNUC_PREREQ (7, 0)
+@@ -265,11 +264,6 @@ do_test (void)
+ DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
+ #endif
+
+- /* Aligned memory allocation functions need to be tested up to alignment
+- size equivalent to page size, which should be a power of 2. */
+- pagesize = sysconf (_SC_PAGESIZE);
+- TEST_VERIFY_EXIT (powerof2 (pagesize));
+-
+ /* Loop 1: Ensure that all allocations with SIZE close to SIZE_MAX, i.e.
+ in the range (SIZE_MAX - 2^14, SIZE_MAX], fail.
+
+--
+2.47.3
+
--- /dev/null
+From 453e6b8dbab935257eb0802b0c97bca6b67ba30e Mon Sep 17 00:00:00 2001
+From: Carlos O'Donell <carlos@redhat.com>
+Date: Thu, 15 Jan 2026 15:09:38 -0500
+Subject: [PATCH] resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
+
+The default network value of zero for net was never tested for and
+results in a DNS query constructed from uninitialized stack bytes.
+The solution is to provide a default query for the case where net
+is zero.
+
+Adding a test case for this was straight forward given the existence of
+tst-resolv-network and if the test is added without the fix you observe
+this failure:
+
+FAIL: resolv/tst-resolv-network
+original exit status 1
+error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
+error: 1 test failures
+
+With a random QNAME resulting from the use of uninitialized stack bytes.
+
+After the fix the test passes.
+
+Additionally verified using wireshark before and after to ensure
+on-the-wire bytes for the DNS query were as expected.
+
+No regressions on x86_64.
+
+Reviewed-by: Florian Weimer <fweimer@redhat.com>
+(cherry picked from commit e56ff82d5034ec66c6a78f517af6faa427f65b0b)
+---
+ resolv/nss_dns/dns-network.c | 4 ++++
+ resolv/tst-resolv-network.c | 6 ++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 519f8422ca..e14e959d7c 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -207,6 +207,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
+ sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
+ net_bytes[1], net_bytes[0]);
+ break;
++ default:
++ /* Default network (net is originally zero). */
++ strcpy (qbuf, "0.0.0.0.in-addr.arpa");
++ break;
+ }
+
+ net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c
+index d9f69649d0..181be80835 100644
+--- a/resolv/tst-resolv-network.c
++++ b/resolv/tst-resolv-network.c
+@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
+ {
+ switch (code)
+ {
++ case 0:
++ send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
++ break;
+ case 1:
+ send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
+ break;
+@@ -265,6 +268,9 @@ do_test (void)
+ "error: TRY_AGAIN\n");
+
+ /* Lookup by address, success cases. */
++ check_reverse (0,
++ "name: 0.in-addr.arpa\n"
++ "net: 0x00000000\n");
+ check_reverse (1,
+ "name: 1.in-addr.arpa\n"
+ "net: 0x00000001\n");
+--
+2.47.3
+
projects / ipfire-2.x.git / commitdiff
