diff options
| author |   Moritz Eckert <m.eckert@cs.ucsb.edu> | 2018-08-16 21:08:36 -0400 |
|---|---|---|
| committer |   Andreas K. Hüttel <dilfridge@gentoo.org> | 2018-12-11 23:33:22 +0100 |
| commit | 79631a67f965c875e31e00e1c72ede77a88f4796 (patch) | |
| tree | 25c0c6ed5dcd87446a037d405c4d483145dddeb1 | |
| parent | malloc: Verify size of top chunk. (diff) | |
| download | glibc-79631a67f965c875e31e00e1c72ede77a88f4796.tar.gz glibc-79631a67f965c875e31e00e1c72ede77a88f4796.tar.bz2 glibc-79631a67f965c875e31e00e1c72ede77a88f4796.zip | |
malloc: Mitigate null-byte overflow attacks
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.
(cherry picked from commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f)
(cherry picked from commit 7e40c3f804b5d5dbbc0519565b16101ab22fb899)
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | malloc/malloc.c | 4 |
2 files changed, 9 insertions, 0 deletions
@@ -1,3 +1,8 @@ +2018-08-16 DJ Delorie <dj@delorie.com> + + * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size. + (malloc_consolidate): Likewise. + 2018-08-16 Pochang Chen <johnchen902@gmail.com> * malloc/malloc.c (_int_malloc.c): Verify size of top chunk. diff --git a/malloc/malloc.c b/malloc/malloc.c index 9431108626..7c8bf8413c 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) prevsize = prev_size (p); size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); + if (__glibc_unlikely (chunksize(p) != prevsize)) + malloc_printerr ("corrupted size vs. prev_size while consolidating"); unlink(av, p, bck, fwd); } @@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av) prevsize = prev_size (p); size += prevsize; p = chunk_at_offset(p, -((long) prevsize)); + if (__glibc_unlikely (chunksize(p) != prevsize)) + malloc_printerr ("corrupted size vs. prev_size in fastbins"); unlink(av, p, bck, fwd); } |