From patchwork Tue Nov 7 15:27:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Istvan Kurucsai X-Patchwork-Id: 835330 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-86855-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="XseKkRlh"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yWYG60Rpfz9s7c for ; Wed, 8 Nov 2017 02:27:41 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references; q=dns; s=default; b=kc5bPIp7G4wt0GbHPCZDh6An/nR+9Dk MMGwLvIEc/OpzdZObtpLn665ipo0miXrwKQUlWN60+8eHzqmRI1CU9OO/zzjA3UM Zgq1X/LWvWcgd1fGbFMRuIM9PdWDJbo4AYqtRyEDlQOv7CpiWWfkh3rtvHcAjWg+ xQJf8ecI8S8Q= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id:in-reply-to :references; s=default; bh=7E7btCrlylVQp3HT7qHnJMVqJ8s=; b=XseKk Rlh+EoYsnpVkJyj7fvqSw8ST7rWFJSkF71/ewqdCfwoh9Bdfu1pgtc0VcbksIDwX HAsxMdzfCO1hM8wta2yLImGI9gH1L8934dtI1n+jnoYXuAX/GjrL+0SF62eL2itW R/SKNnY5k/JMMoZAtxRp5OrkEajrxtSBQf/vZ0= Received: (qmail 69025 invoked by alias); 7 Nov 2017 15:27:26 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 68615 invoked by uid 89); 7 Nov 2017 15:27:25 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.4 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, SPF_PASS autolearn=ham version=3.3.2 spammy=victim, corrupted X-HELO: mail-wr0-f196.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=4a6EvM8puMc1LLPPFHrQCaYwPxcMASJm/Ty5UzUmGQw=; b=dtQm2i7/70b+x5ip9YoaHeOh4IZj+Kc1LFszroMDLmSaptjWLDkAzTJgB5f2gTgCyc zh6zDMRsmhCutNmWG4cg0z4Dr68nb2XZ97arczqhFqznWqUyhFAMbYLrIbmvxagjxj2B ZT6WcMwIVytvCI76JGahwXsh9azCrqU0qe8Q+MKIozknpouA8sqLKf7BPGBiXcjedu9N OmxUMDtq7dkSAZ8HzuuPUcpbfuFJTzgcReuDuvFQUjWjqkhJA2z0qPBXoqQNnZppRq4T SA7i3iSAok/5w7VAqt7CC5C3m+0mouDCTk+eFMRwS/KcLUj+1s00eye8PBihSXiOpTjO fjGA== X-Gm-Message-State: AMCzsaV4M5pixAaKREu/XcF8M1J/Ts0WXMU5Z5v4T+Typu2nDN4TMatT x5EvcTqHBpUaYsoktuMH5a2/9MdX X-Google-Smtp-Source: ABhQp+TjS0v7iWQs/hGh4yT0vCynQO2BXAJHQnjxXV9zTuEFcTX/MxdzRrmqYNSy76DYGNTFz+3Q2w== X-Received: by 10.223.172.245 with SMTP id o108mr17434406wrc.122.1510068442203; Tue, 07 Nov 2017 07:27:22 -0800 (PST) From: Istvan Kurucsai To: libc-alpha@sourceware.org Cc: Istvan Kurucsai Subject: [PATCH v2 1/7] malloc: Add check for top size corruption. Date: Tue, 7 Nov 2017 16:27:04 +0100 Message-Id: <1510068430-27816-2-git-send-email-pistukem@gmail.com> In-Reply-To: <1510068430-27816-1-git-send-email-pistukem@gmail.com> References: <1510068430-27816-1-git-send-email-pistukem@gmail.com> Ensure that the size of top is below av->system_mem. * malloc/malloc.c (_int_malloc): Check top size. --- malloc/malloc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index f94d51c..4a30c42 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4078,6 +4078,10 @@ _int_malloc (mstate av, size_t bytes) if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) { + if (__glibc_unlikely ((unsigned long) (size) > + (unsigned long) (av->system_mem))) + malloc_printerr("malloc(): corrupted top chunk"); + remainder_size = size - nb; remainder = chunk_at_offset (victim, nb); av->top = remainder;