From patchwork Tue Nov  7 15:27:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Istvan Kurucsai <pistukem@gmail.com>
X-Patchwork-Id: 24137
Received: (qmail 69025 invoked by alias); 7 Nov 2017 15:27:26 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 68615 invoked by uid 89); 7 Nov 2017 15:27:25 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-24.4 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2,
	GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM,
	SPF_PASS autolearn=ham version=3.3.2 spammy=victim, corrupted
X-HELO: mail-wr0-f196.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=4a6EvM8puMc1LLPPFHrQCaYwPxcMASJm/Ty5UzUmGQw=;
	b=dtQm2i7/70b+x5ip9YoaHeOh4IZj+Kc1LFszroMDLmSaptjWLDkAzTJgB5f2gTgCyc
	zh6zDMRsmhCutNmWG4cg0z4Dr68nb2XZ97arczqhFqznWqUyhFAMbYLrIbmvxagjxj2B
	ZT6WcMwIVytvCI76JGahwXsh9azCrqU0qe8Q+MKIozknpouA8sqLKf7BPGBiXcjedu9N
	OmxUMDtq7dkSAZ8HzuuPUcpbfuFJTzgcReuDuvFQUjWjqkhJA2z0qPBXoqQNnZppRq4T
	SA7i3iSAok/5w7VAqt7CC5C3m+0mouDCTk+eFMRwS/KcLUj+1s00eye8PBihSXiOpTjO
	fjGA==
X-Gm-Message-State: AMCzsaV4M5pixAaKREu/XcF8M1J/Ts0WXMU5Z5v4T+Typu2nDN4TMatT
	x5EvcTqHBpUaYsoktuMH5a2/9MdX
X-Google-Smtp-Source: 
 ABhQp+TjS0v7iWQs/hGh4yT0vCynQO2BXAJHQnjxXV9zTuEFcTX/MxdzRrmqYNSy76DYGNTFz+3Q2w==
X-Received: by 10.223.172.245 with SMTP id
	o108mr17434406wrc.122.1510068442203;
	Tue, 07 Nov 2017 07:27:22 -0800 (PST)
From: Istvan Kurucsai <pistukem@gmail.com>
To: libc-alpha@sourceware.org
Cc: Istvan Kurucsai <pistukem@gmail.com>
Subject: [PATCH v2 1/7] malloc: Add check for top size corruption.
Date: Tue,  7 Nov 2017 16:27:04 +0100
Message-Id: <1510068430-27816-2-git-send-email-pistukem@gmail.com>
In-Reply-To: <1510068430-27816-1-git-send-email-pistukem@gmail.com>
References: <1510068430-27816-1-git-send-email-pistukem@gmail.com>

Ensure that the size of top is below av->system_mem.

    * malloc/malloc.c (_int_malloc): Check top size.
---
 malloc/malloc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index f94d51c..4a30c42 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4078,6 +4078,10 @@ _int_malloc (mstate av, size_t bytes)
 
       if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
         {
+          if (__glibc_unlikely ((unsigned long) (size) > 
+                                (unsigned long) (av->system_mem)))
+            malloc_printerr("malloc(): corrupted top chunk");
+
           remainder_size = size - nb;
           remainder = chunk_at_offset (victim, nb);
           av->top = remainder;