Message ID | CAJaYUCYJhSVs-xQuQhySGcqzM+zB_eFRirEc4V3nkHRWgLLKvA@mail.gmail.com |
---|---|
State | New |
Headers | show |
Series | malloc: Check for large bin list corruption when inserting unsorted chunk | expand |
On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote: > > Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers > of chunks in large bin when inserting chunk from unsorted bin. It was possible > to write the pointer to victim (newly inserted chunk) to arbitrary memory > locations if bk or bk_nextsize pointers of the next large bin chunk > got corrupted. > Sending again with patch as attachment for better readability. Best Regards, Adam Mariš diff --git a/malloc/malloc.c b/malloc/malloc.c index 6e766d11bc..801ba1f499 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes) { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; + if (bck->fd != fwd) + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)"); } } else
On Tue, Feb 12, 2019 at 5:34 PM Adam Maris <amaris@redhat.com> wrote: > > On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote: > > > > Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers > > of chunks in large bin when inserting chunk from unsorted bin. It was possible > > to write the pointer to victim (newly inserted chunk) to arbitrary memory > > locations if bk or bk_nextsize pointers of the next large bin chunk > > got corrupted. > > > > Sending again with patch as attachment for better readability. > Thoughts?
diff --git a/malloc/malloc.c b/malloc/malloc.c index 6e766d11bc..801ba1f499 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes) { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; + if (bck->fd != fwd) + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");