malloc: harden removal from unsorted list

Message ID	c7071e51-7545-c618-85dc-2f10f3b88e4d@google.com
State	Committed, archived
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org From: Francois Goichon <fgoichon@google.com> Subject: Re: [PATCH] malloc: harden removal from unsorted list To: fw@deneb.enyo.de Cc: libc-alpha@sourceware.org References: <9b74b50e-66a6-3321-5668-d89b35a21cd8@google.com> <87h8q59k2t.fsf@mid.deneb.enyo.de> Message-ID: <c7071e51-7545-c618-85dc-2f10f3b88e4d@google.com> Date: Mon, 26 Feb 2018 11:48:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <87h8q59k2t.fsf@mid.deneb.enyo.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit

Message ID

c7071e51-7545-c618-85dc-2f10f3b88e4d@google.com

State

Committed, archived

Headers

Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
From: Francois Goichon <fgoichon@google.com>
Subject: Re: [PATCH] malloc: harden removal from unsorted list
To: fw@deneb.enyo.de
Cc: libc-alpha@sourceware.org
References: <9b74b50e-66a6-3321-5668-d89b35a21cd8@google.com>
	<87h8q59k2t.fsf@mid.deneb.enyo.de>
Message-ID: <c7071e51-7545-c618-85dc-2f10f3b88e4d@google.com>
Date: Mon, 26 Feb 2018 11:48:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <87h8q59k2t.fsf@mid.deneb.enyo.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Commit Message

Francois Goichon Feb. 26, 2018, 10:48 a.m. UTC

  On the exploitability of this, the += was just there to explicitly point
out the targeted bin, but an actual exploitation would more likely look
at  overwriting the least significant byte(s), or the full address if in
a position to leak a free or uninitialized chunk beforehand.

I believe this is in line with other attacks that malloc tries to
prevent, i.e. where controlling a single pointer is sufficient to get
significant control over the application's behavior. I agree it's a fine
line though and that it's not malloc's role to stop exploitation of edge
cases where the attacker has an unreasonable amount of control.

Happy to try and put numbers on the performance impact of this change
if it's a concern here - if yes is there a benchmark that would be best
suited to this usecase?

Rolled back the existing messages as suggested:


---
  malloc/malloc.c | 2 ++
  1 file changed, 2 insertions(+)

diff mbox

Patch

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 58f9acd4d1..fd1a263e9e 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3775,6 +3775,8 @@  _int_malloc (mstate av, size_t bytes)
              }

            /* remove from unsorted list */
+          if (__glibc_unlikely (bck->fd != victim))
+            malloc_printerr ("malloc(): corrupted unsorted chunks 3");
            unsorted_chunks (av)->bk = bck;
            bck->fd = unsorted_chunks (av);