This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] malloc/malloc.c: Mitigate null-byte overflow attacks
- From: Moritz Eckert <m dot eckert at cs dot ucsb dot edu>
- To: DJ Delorie <dj at redhat dot com>
- Cc: fweimer at redhat dot com, libc-alpha at sourceware dot org, scarybeasts at gmail dot com
- Date: Mon, 15 Jan 2018 11:56:34 -0800
- Subject: Re: [PATCH] malloc/malloc.c: Mitigate null-byte overflow attacks
- Authentication-results: sourceware.org; auth=none
- References: <xnmv3oxv5p.fsf@greed.delorie.com> <013ad5d1-5dac-0f03-0009-0c982c9a314b@cs.ucsb.edu>
Hi,
I gave this another thought and to make things simpler propose a slight
change in the patch that would keep the old check and just additionally
checks the prev_size<->size before traversing back in memory.
That way, we'll just add an easy efficient way of catching the
poison_null_byte, without any other implications.
Thanks,
Moritz
diff --git a/malloc/malloc.c b/malloc/malloc.c
index f5aafd2c05..d6ebfafd9a 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4288,6 +4288,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__builtin_expect (chunksize(p) != prevsize, 0))
+ malloc_printerr ("corrupted size vs. prev_size");
unlink(av, p, bck, fwd);
}
@@ -4449,6 +4451,8 @@ static void malloc_consolidate(mstate av)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__builtin_expect (chunksize(p) != prevsize, 0))
+ malloc_printerr ("corrupted size vs. prev_size");
unlink(av, p, bck, fwd);
}