From patchwork Tue Feb 12 16:34:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Adam Maris <amaris@redhat.com>
X-Patchwork-Id: 31422
Received: (qmail 38161 invoked by alias); 12 Feb 2019 16:34:15 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 37404 invoked by uid 89); 12 Feb 2019 16:34:14 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=victim
X-HELO: mail-ot1-f66.google.com
MIME-Version: 1.0
References: 
 <CAJaYUCYJhSVs-xQuQhySGcqzM+zB_eFRirEc4V3nkHRWgLLKvA@mail.gmail.com>
In-Reply-To: 
 <CAJaYUCYJhSVs-xQuQhySGcqzM+zB_eFRirEc4V3nkHRWgLLKvA@mail.gmail.com>
From: Adam Maris <amaris@redhat.com>
Date: Tue, 12 Feb 2019 17:34:00 +0100
Message-ID: 
 <CAJaYUCYtdgfSxcWLrezFabu3A89OeahrctrTvy=S9KfGD2tFXQ@mail.gmail.com>
Subject: Re: [PATCH] malloc: Check for large bin list corruption when
	inserting unsorted chunk
To: libc-alpha@sourceware.org

On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote:
>
> Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
> of chunks in large bin when inserting chunk from unsorted bin. It was possible
> to write the pointer to victim (newly inserted chunk) to arbitrary memory
> locations if bk or bk_nextsize pointers of the next large bin chunk
> got corrupted.
>

Sending again with patch as attachment for better readability.

Best Regards,

Adam Mariš

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d11bc..801ba1f499 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
                         {
                           victim->fd_nextsize = fwd;
                           victim->bk_nextsize = fwd->bk_nextsize;
+                          if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+                            malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
                           fwd->bk_nextsize = victim;
                           victim->bk_nextsize->fd_nextsize = victim;
                         }
                       bck = fwd->bk;
+                      if (bck->fd != fwd)
+                        malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
                     }
                 }
               else