* [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
@ 2019-02-12 16:13 Adam Maris
2019-02-12 16:34 ` Adam Maris
0 siblings, 1 reply; 8+ messages in thread
From: Adam Maris @ 2019-02-12 16:13 UTC (permalink / raw)
To: libc-alpha
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
of chunks in large bin when inserting chunk from unsorted bin. It was possible
to write the pointer to victim (newly inserted chunk) to arbitrary memory
locations if bk or bk_nextsize pointers of the next large bin chunk
got corrupted.
Tested with no regressions.
* malloc/malloc.c (_int_malloc): Add security checks for large bin
chunks when inserting unsorted chunk.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d11bc..801ba1f499 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely
(fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin
double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double
linked list corrupted (bk)");
}
}
else
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
2019-02-12 16:13 [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk Adam Maris
@ 2019-02-12 16:34 ` Adam Maris
2019-02-21 10:40 ` Adam Maris
2019-02-22 1:30 ` DJ Delorie
0 siblings, 2 replies; 8+ messages in thread
From: Adam Maris @ 2019-02-12 16:34 UTC (permalink / raw)
To: libc-alpha
[-- Attachment #1: Type: text/plain, Size: 507 bytes --]
On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote:
>
> Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
> of chunks in large bin when inserting chunk from unsorted bin. It was possible
> to write the pointer to victim (newly inserted chunk) to arbitrary memory
> locations if bk or bk_nextsize pointers of the next large bin chunk
> got corrupted.
>
Sending again with patch as attachment for better readability.
Best Regards,
Adam Mariš
[-- Attachment #2: frontlink.patch --]
[-- Type: text/x-patch, Size: 928 bytes --]
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d11bc..801ba1f499 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
2019-02-12 16:34 ` Adam Maris
@ 2019-02-21 10:40 ` Adam Maris
2019-02-22 1:30 ` DJ Delorie
1 sibling, 0 replies; 8+ messages in thread
From: Adam Maris @ 2019-02-21 10:40 UTC (permalink / raw)
To: libc-alpha
On Tue, Feb 12, 2019 at 5:34 PM Adam Maris <amaris@redhat.com> wrote:
>
> On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote:
> >
> > Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
> > of chunks in large bin when inserting chunk from unsorted bin. It was possible
> > to write the pointer to victim (newly inserted chunk) to arbitrary memory
> > locations if bk or bk_nextsize pointers of the next large bin chunk
> > got corrupted.
> >
>
> Sending again with patch as attachment for better readability.
>
Thoughts?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
2019-02-12 16:34 ` Adam Maris
2019-02-21 10:40 ` Adam Maris
@ 2019-02-22 1:30 ` DJ Delorie
2019-03-06 12:09 ` Florian Weimer
1 sibling, 1 reply; 8+ messages in thread
From: DJ Delorie @ 2019-02-22 1:30 UTC (permalink / raw)
To: Adam Maris; +Cc: libc-alpha
Adam Maris <amaris@redhat.com> writes:
> {
> victim->fd_nextsize = fwd;
> victim->bk_nextsize = fwd->bk_nextsize;
> + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
> + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
At this point, the size of the chunk matches neither the previous nor
next chunks; we're creating a new "unique size" sub-head. So, both fd
and fd_nextsize should point to the next (fwd) chunk. We've hooked in
our new chunk but haven't yet fixed up the existing chunks, so this test
verifies that the links between the next chunk (fwd, which is a
start-of-size chunk) and the previous start-of-size chunk are still
cyclic. Ok.
> fwd->bk_nextsize = victim;
> victim->bk_nextsize->fd_nextsize = victim;
> }
> bck = fwd->bk;
> + if (bck->fd != fwd)
> + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
At this point the newly inserted chunk may be a start-of-size chunk, or
a second-in-size chunk; either way, we've not yet linked it into the
fd-bk chain, so we can verify that the fwd->bk->fd is still cyclic. Ok.
So, looks correct to me.
Reviewed-by: DJ Delorie <dj@redhat.com>
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
2019-02-22 1:30 ` DJ Delorie
@ 2019-03-06 12:09 ` Florian Weimer
2019-03-14 20:56 ` DJ Delorie
0 siblings, 1 reply; 8+ messages in thread
From: Florian Weimer @ 2019-03-06 12:09 UTC (permalink / raw)
To: DJ Delorie; +Cc: libc-alpha
* DJ Delorie:
> Adam Maris <amaris@redhat.com> writes:
>> {
>> victim->fd_nextsize = fwd;
>> victim->bk_nextsize = fwd->bk_nextsize;
>> + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
>> + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
>
> At this point, the size of the chunk matches neither the previous nor
> next chunks; we're creating a new "unique size" sub-head. So, both fd
> and fd_nextsize should point to the next (fwd) chunk. We've hooked in
> our new chunk but haven't yet fixed up the existing chunks, so this test
> verifies that the links between the next chunk (fwd, which is a
> start-of-size chunk) and the previous start-of-size chunk are still
> cyclic. Ok.
>
>> fwd->bk_nextsize = victim;
>> victim->bk_nextsize->fd_nextsize = victim;
>> }
>> bck = fwd->bk;
>> + if (bck->fd != fwd)
>> + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
>
> At this point the newly inserted chunk may be a start-of-size chunk, or
> a second-in-size chunk; either way, we've not yet linked it into the
> fd-bk chain, so we can verify that the fwd->bk->fd is still cyclic. Ok.
>
> So, looks correct to me.
> Reviewed-by: DJ Delorie <dj@redhat.com>
I agree with this analysis.
Adam's submission is no longer covered by the Red Hat copyright
assignment, though, but I believe we can still accept it because it was
submitted under the assignment, and it is a small change anyway.
Thanks,
Florian
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk
2019-03-06 12:09 ` Florian Weimer
@ 2019-03-14 20:56 ` DJ Delorie
2019-05-15 15:50 ` Andreas Schwab
0 siblings, 1 reply; 8+ messages in thread
From: DJ Delorie @ 2019-03-14 20:56 UTC (permalink / raw)
To: Florian Weimer; +Cc: libc-alpha
Florian Weimer <fweimer@redhat.com> writes:
> * DJ Delorie:
>
>> Adam Maris <amaris@redhat.com> writes:
>>> {
>>> victim->fd_nextsize = fwd;
>>> victim->bk_nextsize = fwd->bk_nextsize;
>>> + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
>>> + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
>>
>> At this point, the size of the chunk matches neither the previous nor
>> next chunks; we're creating a new "unique size" sub-head. So, both fd
>> and fd_nextsize should point to the next (fwd) chunk. We've hooked in
>> our new chunk but haven't yet fixed up the existing chunks, so this test
>> verifies that the links between the next chunk (fwd, which is a
>> start-of-size chunk) and the previous start-of-size chunk are still
>> cyclic. Ok.
>>
>>> fwd->bk_nextsize = victim;
>>> victim->bk_nextsize->fd_nextsize = victim;
>>> }
>>> bck = fwd->bk;
>>> + if (bck->fd != fwd)
>>> + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
>>
>> At this point the newly inserted chunk may be a start-of-size chunk, or
>> a second-in-size chunk; either way, we've not yet linked it into the
>> fd-bk chain, so we can verify that the fwd->bk->fd is still cyclic. Ok.
>>
>> So, looks correct to me.
>> Reviewed-by: DJ Delorie <dj@redhat.com>
>
> I agree with this analysis.
>
> Adam's submission is no longer covered by the Red Hat copyright
> assignment, though, but I believe we can still accept it because it was
> submitted under the assignment, and it is a small change anyway.
Agreed. Pushed. Finally ;-)
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-05-15 16:12 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-12 16:13 [PATCH] malloc: Check for large bin list corruption when inserting unsorted chunk Adam Maris
2019-02-12 16:34 ` Adam Maris
2019-02-21 10:40 ` Adam Maris
2019-02-22 1:30 ` DJ Delorie
2019-03-06 12:09 ` Florian Weimer
2019-03-14 20:56 ` DJ Delorie
2019-05-15 15:50 ` Andreas Schwab
2019-05-15 16:12 ` DJ Delorie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).