malloc: Check for large bin list corruption when inserting unsorted chunk
Commit Message
On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote:
>
> Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
> of chunks in large bin when inserting chunk from unsorted bin. It was possible
> to write the pointer to victim (newly inserted chunk) to arbitrary memory
> locations if bk or bk_nextsize pointers of the next large bin chunk
> got corrupted.
>
Sending again with patch as attachment for better readability.
Best Regards,
Adam Mariš
Comments
On Tue, Feb 12, 2019 at 5:34 PM Adam Maris <amaris@redhat.com> wrote:
>
> On Tue, Feb 12, 2019 at 5:13 PM Adam Maris <amaris@redhat.com> wrote:
> >
> > Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
> > of chunks in large bin when inserting chunk from unsorted bin. It was possible
> > to write the pointer to victim (newly inserted chunk) to arbitrary memory
> > locations if bk or bk_nextsize pointers of the next large bin chunk
> > got corrupted.
> >
>
> Sending again with patch as attachment for better readability.
>
Thoughts?
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else