This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

GNU C Library master sources branch master updated. glibc-2.29.9000-133-g5b06f53

From: dj at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 14 Mar 2019 20:55:41 -0000
Subject: GNU C Library master sources branch master updated. glibc-2.29.9000-133-g5b06f53

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  5b06f538c5aee0389ed034f60d90a8884d6d54de (commit)
      from  a0a0dc83173ce11ff45105fd32e5d14356cdfb9c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=5b06f538c5aee0389ed034f60d90a8884d6d54de

commit 5b06f538c5aee0389ed034f60d90a8884d6d54de
Author: Adam Maris <amaris@redhat.com>
Date:   Thu Mar 14 16:51:16 2019 -0400

    malloc: Check for large bin list corruption when inserting unsorted chunk
    
    Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
    of chunks in large bin when inserting chunk from unsorted bin. It was possible
    to write the pointer to victim (newly inserted chunk) to arbitrary memory
    locations if bk or bk_nextsize pointers of the next large bin chunk
    got corrupted.

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d1..801ba1f 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
                         {
                           victim->fd_nextsize = fwd;
                           victim->bk_nextsize = fwd->bk_nextsize;
+                          if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+                            malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
                           fwd->bk_nextsize = victim;
                           victim->bk_nextsize->fd_nextsize = victim;
                         }
                       bck = fwd->bk;
+                      if (bck->fd != fwd)
+                        malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
                     }
                 }
               else

-----------------------------------------------------------------------

Summary of changes:
 malloc/malloc.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]