From patchwork Fri Feb 14 05:34:54 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
X-Patchwork-Id: 106493
X-Patchwork-Delegate: dj@redhat.com
Return-Path: <libc-alpha-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id A1A783858C56
	for <patchwork@sourceware.org>; Fri, 14 Feb 2025 05:35:46 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A1A783858C56
Authentication-Results: sourceware.org;
	dkim=pass (2048-bit key,
 unprotected) header.d=dartmouth.edu header.i=@dartmouth.edu
 header.a=rsa-sha256 header.s=google1 header.b=yyeH+lCV
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com
 [IPv6:2607:f8b0:4864:20::72f])
 by sourceware.org (Postfix) with ESMTPS id 167633858D20
 for <libc-alpha@sourceware.org>; Fri, 14 Feb 2025 05:35:08 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 167633858D20
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=dartmouth.edu
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=dartmouth.edu
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 167633858D20
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::72f
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1739511308; cv=none;
 b=f5XNOBZkAuxvQ+LknpCo1g0s5SmGIw0UgDiV3O9rOKkxWy8RCmCB9g4MMSbfI8bMGpKYREhfDneJQzA74E6BPQIJ/cX2D8WBla+8dcvx30qYZFL6m/ooVtS4rm3Tx1VSzxlZMVkyQVEkiSqutjRBMoGnTZA1tANQHtqBa1l1Rms=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1739511308; c=relaxed/simple;
 bh=AlwOwOSMsRi1hdjDFd7/uipy2zetRx9+Ul9rhRed5po=;
 h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
 b=UXXs0cgeS+DyJxfmzTopcDR3Lh716qSVb+wsZ0DTi623HSyeorfQRNvD1Og2OkxRAyka3oBHcHGuVYDJalUOWLMuDAmbK7h6ZCl089Y68J/2fSNS8OQEELBrMSw0ZPVpOcY+jygM1dU7oppJiEDYBTeG1WB+jFc39/FHu0fL9LU=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 167633858D20
Received: by mail-qk1-x72f.google.com with SMTP id
 af79cd13be357-7c0845844a0so20387885a.1
 for <libc-alpha@sourceware.org>; Thu, 13 Feb 2025 21:35:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=dartmouth.edu; s=google1; t=1739511307; x=1740116107; darn=sourceware.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=ulv0yXmIzqWY4hlYJgi+lKoprxoF2S0uG8y0PFLEyz0=;
 b=yyeH+lCV5k3HDDwR99MDIV3ZiJCL44CTFruDCkRSg3ijzNzeF0Jy6Eh8WbkTigI8Ff
 wgHq5Usy/hbXqoXQ+zazJLFNa/3fLwGaz5pUr3dRtpdUO/w2ZH3cwK+Q50rA94rnsTZH
 l2e7D4qBNyVBmZ27CSKX3u4arcoHNglVfaMA0TDaAp9SAw6ayu4tJAvfDfcjfaCVM+f1
 NXpwwuDaMJrpxRpl92KveY+YsXZNPOQguX/5JsXj3xidJ2WEVsU1vP2jn67N5CDtj37q
 GnKV3opLFCB9SDrobIFbtgG5niKiuXJd52sibe02rQcOfcsVsPPpVSbpQvegsvU5Pq1/
 RZmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1739511307; x=1740116107;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=ulv0yXmIzqWY4hlYJgi+lKoprxoF2S0uG8y0PFLEyz0=;
 b=CZZCFYMpqSzgCbi+8wbLAd/llSOi4xmmUItiklneXKvo2peg2NSGHPXGthRP1vBY7P
 LIslfv2gRIrfc7ITN/o+72RtY0iPnrZLjrq7B23ijx9vaGjzl5fx+Q2knmTQKZuimNs1
 G1q9RMSi1yZYtoBYwC8yKcoL/neYdvlNML5nClXvZACclNEFMlFfMo8yjvxrQMRHHiZh
 vHvr95d2kwOeRsz8qHdY1br7QJPPgbBVhLTaclQFinQRi7gRvNtUGqhAedatultzAMRm
 Ik60jrTUv5MYenxkRNFW12Hk1jeAnwtItVUO2HzRPLO5mbj/+XjOAI30GDOMG7JdWb2w
 WntA==
X-Gm-Message-State: AOJu0YxkP/SUqsmaowYmiaKBeSUuKmm6LhgXa7gqWo/kynzVFqN0e/U5
 C5Yk4qYOGB2eVwpsSF5TtTpFov4CorO3It0tjpI0KyCjpRMvmfvkldk2X6HNlZjR8hGoXF2/ch8
 heLE=
X-Gm-Gg: ASbGncsmx7AeXVVM+Wbj/zFyDVMHHWledf01rqaQO9MoWCoaTz09cZz906kcpk1An/1
 U9+8mEEpks9H8qWWfji2lvkH1glc3v9CucW/Ub9NWTmzDQPm+/abGxQWFDhbwxMZblQDPMX8UCn
 rziiDlZJmfMJazNdtPmD9jhPfa9UEZmJz/MfY1IfOoWC5VfEcPBkG8g7cWnPqrFMr33VdswHtUl
 XzO/o52QM7eCQzK65yT1eFBDNzaY0AZ1W8gpRJBOKhYZ4a0Gv7HRFH4RH9njEbMBT27t8lr3oFb
 PrfauVdfOgvpf97XdZDCrnhEyD/eZWMKnqk+yFhJp7Lqag+Hr6Ze2sg3sKqja5RBUo6DBhjp
X-Google-Smtp-Source: 
 AGHT+IHYbOKAOI9k/tvwJSgCyqCUTpnceaCYloB6+aYka+/PvLCZjg2Fu70X193qa0oxIv4ZilfeKA==
X-Received: by 2002:a05:620a:4447:b0:7c0:6865:ad8a with SMTP id
 af79cd13be357-7c06fcdf5b5mr1545468485a.56.1739511307155;
 Thu, 13 Feb 2025 21:35:07 -0800 (PST)
Received: from spacenut.dartmouth.edu ([129.170.197.99])
 by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6e65d785bdbsm17538956d6.38.2025.02.13.21.35.06
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 13 Feb 2025 21:35:06 -0800 (PST)
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
To: libc-alpha@sourceware.org
Cc: adhemerval.zanella@linaro.org,
 Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Subject: [PATCH] malloc: Add integrity check to largebin nextsizes
Date: Fri, 14 Feb 2025 00:34:54 -0500
Message-ID: <20250214053454.2346370-1-benjamin.p.kallus.gr@dartmouth.edu>
X-Mailer: git-send-email 2.48.1
MIME-Version: 1.0
X-Spam-Status: No, score=-13.4 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE,
 SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org

If attacker overwrites the bk_nextsize link in the first chunk of a
largebin that later has a smaller chunk inserted into it, malloc will
write a heap pointer into an attacker-controlled address [0].

This patch adds an integrity check to mitigate this attack.

[0]: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/large_bin_attack.c

Signed-off-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Reviewed-by: DJ Delorie <dj@redhat.com>
---
 malloc/malloc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index dcac903e2a..931ca48112 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4244,6 +4244,9 @@ _int_malloc (mstate av, size_t bytes)
                       fwd = bck;
                       bck = bck->bk;
 
+                      if (__glibc_unlikely (fwd->fd->bk_nextsize->fd_nextsize != fwd->fd))
+                        malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
+
                       victim->fd_nextsize = fwd->fd;
                       victim->bk_nextsize = fwd->fd->bk_nextsize;
                       fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;