This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
[glibc/release/2.28/master] malloc: Check for large bin list corruption when inserting unsorted chunk
- From: Arjun Shankar <arjun at sourceware dot org>
- To: glibc-cvs at sourceware dot org
- Date: 2 May 2019 12:39:57 -0000
- Subject: [glibc/release/2.28/master] malloc: Check for large bin list corruption when inserting unsorted chunk
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a5e58827f2b6efa94ea50a9db5f3c861173837f
commit 4a5e58827f2b6efa94ea50a9db5f3c861173837f
Author: Adam Maris <amaris@redhat.com>
Date: Thu Mar 14 16:51:16 2019 -0400
malloc: Check for large bin list corruption when inserting unsorted chunk
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
of chunks in large bin when inserting chunk from unsorted bin. It was possible
to write the pointer to victim (newly inserted chunk) to arbitrary memory
locations if bk or bk_nextsize pointers of the next large bin chunk
got corrupted.
(cherry picked from commit 5b06f538c5aee0389ed034f60d90a8884d6d54de)
Diff:
---
malloc/malloc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6ae22e6..0e9a2e2 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3869,10 +3869,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else