This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.28.9000-66-gd6db68e
- From: dj at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 17 Aug 2018 01:28:11 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.28.9000-66-gd6db68e
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f (commit)
from 30a17d8c95fbfb15c52d1115803b63aaa73a285c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f
commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f
Author: Moritz Eckert <m.eckert@cs.ucsb.edu>
Date: Thu Aug 16 21:08:36 2018 -0400
malloc: Mitigate null-byte overflow attacks
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.
diff --git a/ChangeLog b/ChangeLog
index dc72e54..1e84f9b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-16 DJ Delorie <dj@delorie.com>
+
+ * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
+ (malloc_consolidate): Likewise.
+
2018-08-16 Pochang Chen <johnchen902@gmail.com>
* malloc/malloc.c (_int_malloc.c): Verify size of top chunk.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9431108..7c8bf84 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
+ malloc_printerr ("corrupted size vs. prev_size while consolidating");
unlink(av, p, bck, fwd);
}
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
+ malloc_printerr ("corrupted size vs. prev_size in fastbins");
unlink(av, p, bck, fwd);
}
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 5 +++++
malloc/malloc.c | 4 ++++
2 files changed, 9 insertions(+), 0 deletions(-)
hooks/post-receive
--
GNU C Library master sources