This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug malloc/23733] Check the count before calling tcache_get()
- From: "amaris at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 10 Oct 2018 19:17:19 +0000
- Subject: [Bug malloc/23733] Check the count before calling tcache_get()
- Auto-submitted: auto-generated
- References: <bug-23733-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=23733
--- Comment #2 from Adam Mariš <amaris at redhat dot com> ---
(In reply to Carlos O'Donell from comment #1)
> (In reply to Adam Mariš from comment #0)
> > Created attachment 11287 [details]
> > tcache overflow
> >
> > When calling tcache_get() in __libc_malloc(), it is checked (among other
> > things) that tcache->entries[tc_idx] isn't equal NULL which indicates the
> > corresponding tcache bin should be empty. However, when the last chunk in
> > tcache bin gets corrupted (e.g. by use after free or heap buffer overflow)
> > and pointer to next chunk which is NULL would be overwritten, malloc() will
> > continue to serve chunks from that tcache bin even if it's empty and
> > tcache->count[tc_idx] will overflow.
> >
> > It would be better to check if tcache->count[tc_idx] > 0, either instead or
> > additionally (even better), which isn't as vulnerable to corruption as
> > metadata stored in chunks.
>
> Adam,
>
> Are you able to post a tested patch for this to libc-alpha?
>
OK, added to my TODO list.
> The fix would also need a test case, a simple program like your PoC but with
> a bit more boiler plate e.g. malloc/tst-malloc-backtrace.c which uses
> "EXPECTED_SIGNAL SIGABRT" to indicate that a PASS for the test is a SIGABRT
> (which is that malloc should abort when it detects corruption).
>
That's useful to know, thanks! I'll look into it and get back once I'm done.
--
You are receiving this mail because:
You are on the CC list for the bug.