From: Adam Maris <amaris@redhat.com>
To: libc-alpha@sourceware.org
Subject: Re: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
Date: Tue, 12 Feb 2019 17:34:00 +0100 [thread overview]
Message-ID: <CAJaYUCYtdgfSxcWLrezFabu3A89OeahrctrTvy=S9KfGD2tFXQ@mail.gmail.com> (raw)
In-Reply-To: <CAJaYUCYJhSVs-xQuQhySGcqzM+zB_eFRirEc4V3nkHRWgLLKvA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 507 bytes --]
On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote:
>
> Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
> of chunks in large bin when inserting chunk from unsorted bin. It was possible
> to write the pointer to victim (newly inserted chunk) to arbitrary memory
> locations if bk or bk_nextsize pointers of the next large bin chunk
> got corrupted.
>
Sending again with patch as attachment for better readability.
Best Regards,
Adam Mariš
[-- Attachment #2: frontlink.patch --]
[-- Type: text/x-patch, Size: 928 bytes --]
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d11bc..801ba1f499 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else
next prev parent reply other threads:[~2019-02-12 16:34 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-12 16:13 [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk Adam Maris
2019-02-12 16:34 ` Adam Maris [this message]
2019-02-21 10:40 ` Adam Maris
2019-02-22 1:30 ` DJ Delorie
2019-03-06 12:09 ` Florian Weimer
2019-03-14 20:56 ` DJ Delorie
2019-05-15 15:50 ` Andreas Schwab
2019-05-15 16:12 ` DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJaYUCYtdgfSxcWLrezFabu3A89OeahrctrTvy=S9KfGD2tFXQ@mail.gmail.com' \
--to=amaris@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).