From patchwork Tue Feb 12 16:13:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Maris X-Patchwork-Id: 1040679 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-99974-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="yH9D2Bqt"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43zSPZ06xBz9sMx for ; Wed, 13 Feb 2019 03:13:21 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :content-type; q=dns; s=default; b=ynGlkCqreqFpw4hxHDD6pY7W4tXE6 wCxSAtG/MmXWV/14XJN2VxUcAna4Ef8kWwuKheWmv/xIRjo0s23h8xRvleLs7QGQ Gtzf8KqoVN4q4t/q55YOL8tKhQYyj0e319taJEO0omG2ZciLyhhCne3iSk9iEMBl jo2LoG576hYE1g= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:mime-version:from:date:message-id:subject:to :content-type; s=default; bh=8UaDIngDekBlq6OgMzOLaHobovI=; b=yH9 D2Bqt2iQtF661jMEW9qWzfQF7h8CFjzTj2JbxWt+jFZ7MaQrwJujoH3c68zIw83G dr2eBnCFmwzgAkEzO7MPjJkKn6hu+nkHp+cIUh/0E8UrwZTuPG4RpqSI+F+GgJyM NOHHaj2YKkwXGXmYL3Gs+BRX+ro/VFgsBDKLV+bU= Received: (qmail 85762 invoked by alias); 12 Feb 2019 16:13:15 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 85749 invoked by uid 89); 12 Feb 2019 16:13:15 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=victim X-HELO: mail-ot1-f67.google.com MIME-Version: 1.0 From: Adam Maris Date: Tue, 12 Feb 2019 17:13:00 +0100 Message-ID: Subject: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk To: libc-alpha@sourceware.org Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers of chunks in large bin when inserting chunk from unsorted bin. It was possible to write the pointer to victim (newly inserted chunk) to arbitrary memory locations if bk or bk_nextsize pointers of the next large bin chunk got corrupted. Tested with no regressions. * malloc/malloc.c (_int_malloc): Add security checks for large bin chunks when inserting unsorted chunk. } } else diff --git a/malloc/malloc.c b/malloc/malloc.c index 6e766d11bc..801ba1f499 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes) { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; + if (bck->fd != fwd) + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");