This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[RFC][PATCH 0/7] Additonal integrity checks for the malloc implementation

From: Istvan Kurucsai <pistukem at gmail dot com>
To: libc-alpha at sourceware dot org
Cc: Istvan Kurucsai <pistukem at gmail dot com>
Date: Wed, 31 May 2017 10:43:48 +0200
Subject: [RFC][PATCH 0/7] Additonal integrity checks for the malloc implementation
Authentication-results: sourceware.org; auth=none

This patch set tries to improve on the current integrity checks in malloc. The goal was to eliminate known exploitation techniques with the simplest possible changes. A quick overview of the individual patches:

(1/7) An attempt at hardening the `use_top` part of malloc against corruption and pivoting of the top chunk, known as the House of Force [1]. The possibility of extending the top chunk from an mmapped arena into another remains.

(2/7) The binning code in malloc is rather attacker-friendly [2][3]. Change this by enforcing as many invariants as possible on chunks from the unsorted bin.

(3/7) `malloc_consolidate` contains no integrity checks beside the ones in `unlink`. This can be abused by an attacker in a couple of ways [4]. The patch limits the possibilities significantly.

(4/7) Fix an unsigned underflow and subsequent wild memcpy that can be triggered by a corrupted chunk size in `__libc_realloc` [5]. 

(5/7) By corrupting the `IS_MMAPPED` bit of a free chunk, an attacker can force calloc to return an uninitialized chunk [6]. The patch adds checks to the `IS_MMAPPED` path in calloc, even though the protection is not complete.

(6/7), (7/7): Additional checks around the unmapping and remapping of chunks, which are abusable in different ways [7]. Also feels somewhat incomplete but still an improvement.

The tests passed but I did no profiling. The performance impact of the mmap related parts shouldn't be noticeable, the others I'm not sure about. I already did copyright assignment.


[1]: https://github.com/shellphish/how2heap/blob/master/house_of_force.c 
[2]: https://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf
[3]: https://github.com/shellphish/how2heap/blob/master/unsorted_bin_attack.c
[4]: http://tukan.farm/2016/09/04/fastbin-fever/ 
[5]: http://tukan.farm/2016/11/03/once-upon-a-realloc/
[6]: http://tukan.farm/2016/10/14/scraps-of-notes/
[7]: http://tukan.farm/2016/07/27/munmap-madness/

Istvan Kurucsai (7):
  malloc: Add check for top size corruption.
  malloc: Additional checks for unsorted bin integrity I.
  malloc: Ensure that the consolidated fast chunk has a sane size.
  malloc: Ensure lower bound on chunk size in __libc_realloc.
  malloc: Verify the integrity of mmapped chunks in calloc.
  malloc: Add more integrity checks to mremap_chunk.
  malloc: Check the alignment of mmapped chunks before unmapping.

 malloc/malloc.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 81 insertions(+), 11 deletions(-)

-- 
2.7.4

Follow-Ups:
- [RFC][PATCH 1/7] malloc: Add check for top size corruption.
  - From: Istvan Kurucsai
- [RFC][PATCH 2/7] malloc: Additional checks for unsorted bin integrity I.
  - From: Istvan Kurucsai
- [RFC][PATCH 3/7] malloc: Ensure that the consolidated fast chunk has a sane size.
  - From: Istvan Kurucsai
- [RFC][PATCH 4/7] malloc: Ensure lower bound on chunk size in __libc_realloc.
  - From: Istvan Kurucsai
- [RFC][PATCH 5/7] malloc: Verify the integrity of mmapped chunks in calloc.
  - From: Istvan Kurucsai
- [RFC][PATCH 6/7] malloc: Add more integrity checks to mremap_chunk.
  - From: Istvan Kurucsai
- [RFC][PATCH 7/7] malloc: Check the alignment of mmapped chunks before unmapping.
  - From: Istvan Kurucsai

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]