This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[RFC][PATCH 0/7] Additonal integrity checks for the malloc implementation

This patch set tries to improve on the current integrity checks in malloc. The goal was to eliminate known exploitation techniques with the simplest possible changes. A quick overview of the individual patches:

(1/7) An attempt at hardening the `use_top` part of malloc against corruption and pivoting of the top chunk, known as the House of Force [1]. The possibility of extending the top chunk from an mmapped arena into another remains.

(2/7) The binning code in malloc is rather attacker-friendly [2][3]. Change this by enforcing as many invariants as possible on chunks from the unsorted bin.

(3/7) `malloc_consolidate` contains no integrity checks beside the ones in `unlink`. This can be abused by an attacker in a couple of ways [4]. The patch limits the possibilities significantly.

(4/7) Fix an unsigned underflow and subsequent wild memcpy that can be triggered by a corrupted chunk size in `__libc_realloc` [5]. 

(5/7) By corrupting the `IS_MMAPPED` bit of a free chunk, an attacker can force calloc to return an uninitialized chunk [6]. The patch adds checks to the `IS_MMAPPED` path in calloc, even though the protection is not complete.

(6/7), (7/7): Additional checks around the unmapping and remapping of chunks, which are abusable in different ways [7]. Also feels somewhat incomplete but still an improvement.

The tests passed but I did no profiling. The performance impact of the mmap related parts shouldn't be noticeable, the others I'm not sure about. I already did copyright assignment.


Istvan Kurucsai (7):
  malloc: Add check for top size corruption.
  malloc: Additional checks for unsorted bin integrity I.
  malloc: Ensure that the consolidated fast chunk has a sane size.
  malloc: Ensure lower bound on chunk size in __libc_realloc.
  malloc: Verify the integrity of mmapped chunks in calloc.
  malloc: Add more integrity checks to mremap_chunk.
  malloc: Check the alignment of mmapped chunks before unmapping.

 malloc/malloc.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 81 insertions(+), 11 deletions(-)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]