This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.28/master updated. glibc-2.28-39-g7e40c3f
- From: carlos at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 12 Nov 2018 12:43:59 -0000
- Subject: GNU C Library master sources branch release/2.28/master updated. glibc-2.28-39-g7e40c3f
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.28/master has been updated
via 7e40c3f804b5d5dbbc0519565b16101ab22fb899 (commit)
from 510a25f2d208e3b0c86f54b053f61c5b647e4b9b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7e40c3f804b5d5dbbc0519565b16101ab22fb899
commit 7e40c3f804b5d5dbbc0519565b16101ab22fb899
Author: Moritz Eckert <m.eckert@cs.ucsb.edu>
Date: Thu Aug 16 21:08:36 2018 -0400
malloc: Mitigate null-byte overflow attacks
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.
(cherry picked from commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f)
diff --git a/ChangeLog b/ChangeLog
index 44795b2..e819910 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-16 DJ Delorie <dj@delorie.com>
+
+ * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
+ (malloc_consolidate): Likewise.
+
2018-08-16 Pochang Chen <johnchen902@gmail.com>
* malloc/malloc.c (_int_malloc.c): Verify size of top chunk.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9431108..7c8bf84 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
+ malloc_printerr ("corrupted size vs. prev_size while consolidating");
unlink(av, p, bck, fwd);
}
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
prevsize = prev_size (p);
size += prevsize;
p = chunk_at_offset(p, -((long) prevsize));
+ if (__glibc_unlikely (chunksize(p) != prevsize))
+ malloc_printerr ("corrupted size vs. prev_size in fastbins");
unlink(av, p, bck, fwd);
}
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 5 +++++
malloc/malloc.c | 4 ++++
2 files changed, 9 insertions(+), 0 deletions(-)
hooks/post-receive
--
GNU C Library master sources