This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.29.9000-133-g5b06f53
- From: dj at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 14 Mar 2019 20:55:41 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.29.9000-133-g5b06f53
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 5b06f538c5aee0389ed034f60d90a8884d6d54de (commit)
from a0a0dc83173ce11ff45105fd32e5d14356cdfb9c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5b06f538c5aee0389ed034f60d90a8884d6d54de
commit 5b06f538c5aee0389ed034f60d90a8884d6d54de
Author: Adam Maris <amaris@redhat.com>
Date: Thu Mar 14 16:51:16 2019 -0400
malloc: Check for large bin list corruption when inserting unsorted chunk
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
of chunks in large bin when inserting chunk from unsorted bin. It was possible
to write the pointer to victim (newly inserted chunk) to arbitrary memory
locations if bk or bk_nextsize pointers of the next large bin chunk
got corrupted.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d1..801ba1f 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else
-----------------------------------------------------------------------
Summary of changes:
malloc/malloc.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
hooks/post-receive
--
GNU C Library master sources