From patchwork Wed Sep 10 09:06:43 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 387646
Return-Path: 
 <libc-alpha-return-52666-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 624731400AA
	for <incoming@patchwork.ozlabs.org>;
	Wed, 10 Sep 2014 19:07:03 +1000 (EST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:cc
	:subject:content-type; q=dns; s=default; b=JQpno3a4hXAT0Vkl2+q4e
	eaEbQ+1Nnz55I4PP+l5kcXc9hqRNPwVFSBkm7uSpgFjTRbqojqdqv7+ZymLNfi0C
	SjGXpaVNAOf9BbkSB9c4NL9hdckS+nX+jWSutiJQB/l5zidJanUd6tqFvE9GJcz0
	fPsyR/l7QaP+kipujyKWBk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:cc
	:subject:content-type; s=default; bh=q6GBGeaQh62Vxdlh4yWnRZnnQs4
	=; b=O6o2d/nGZ6CVmDt4Bxx9UVRdN+Kbt1lKE1a1B7wvIUbzabnrlx0JE9Ctgz8
	5HoIHdaZyVIVfcfkHx4Hb3ktYstv2gDBunYmCGEez4Ier9tKFnD1x/icKmPhEZkH
	cEch2+Dhkbhyr8h/gWtyLM3uw2lOZi014Pl5ETmnIe5D/1nY=
Received: (qmail 24043 invoked by alias); 10 Sep 2014 09:06:57 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 24019 invoked by uid 89); 10 Sep 2014 09:06:52 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-4.5 required=5.0 tests=AWL, BAYES_00,
	RP_MATCHES_RCVD, SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Message-ID: <541014A3.3020806@redhat.com>
Date: Wed, 10 Sep 2014 11:06:43 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.1.0
MIME-Version: 1.0
To: GNU C Library <libc-alpha@sourceware.org>
CC: Chris Evans <cevans@google.com>
Subject: [PATCH] malloc: additional unlink hardening for non-small bins [BZ
	#17344]

Chris Evans has suggested this as a way to stop certain exploits abusing 
malloc's metadata processing.  My patch is slightly different, the patch 
in the bug report has some whitespace changes and locking code which is 
not present in master.

Apparently, some downstreams compile malloc with asserts enabled, and 
they do not fire, so the validity of the additional checks has in effect 
already been tested in the field.

Tested on Fedora 20 x86_64, with no regressions.

From 43eb4f76b7736f673c46b1b908e2c5b51004498d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Sep 2014 11:00:55 +0200
Subject: [PATCH] malloc: additional unlink hardening for non-small bins [BZ
 #17344]

Turn two asserts into a conditional call to malloc_printerr.  The
memory locations are accessed later anyway, so the performance
impact is minor.

2014-09-10  Florian Weimer  <fweimer@redhat.com>

	[BZ #17344]
	* malloc/malloc.c (unlink): Turn asserts into a call to
	malloc_printerr.


diff --git a/NEWS b/NEWS
index 721b457..30df941 100644
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,7 @@ Version 2.20
   16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
   17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
   17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
-  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354.
+  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17344, 17354.
 
 * Reverted change of ABI data structures for s390 and s390x:
   On s390 and s390x the size of struct ucontext and jmp_buf was increased in
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6ee3840..47859e1 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr;
         BK->fd = FD;							      \
         if (!in_smallbin_range (P->size)				      \
             && __builtin_expect (P->fd_nextsize != NULL, 0)) {		      \
-            assert (P->fd_nextsize->bk_nextsize == P);			      \
-            assert (P->bk_nextsize->fd_nextsize == P);			      \
+	    if (__builtin_expect (P->fd_nextsize->bk_nextsize != P	      \
+				  || P->bk_nextsize->fd_nextsize != P, 0))    \
+	      malloc_printerr (check_action,				      \
+			       "corrupted double-linked list (not small)", P);\
             if (FD->fd_nextsize == NULL) {				      \
                 if (P->fd_nextsize == P)				      \
                   FD->fd_nextsize = FD->bk_nextsize = FD;		      \
-- 
1.9.3