[Bug malloc/17344] New: Enhance glibc metadata hardening with the attached patch

[Bug malloc/17344] New: Enhance glibc metadata hardening with the attached patch

[scarybeasts at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17344

            Bug ID: 17344
           Summary: Enhance glibc metadata hardening with the attached
                    patch
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: normal
          Priority: P2
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: scarybeasts at gmail dot com

Created attachment 7769
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7769&action=edit
Check linked list integrity for the large sized chunk list too.

As a follow-on from my recent glibc exploit:

http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html

I'd have really been slowed down, perhaps even stopped, if the the existing
metadata hardening tricks were extended to one more place. I've attached a
patch. It checks doubly-linked list integrity on unlink in one more place: the
linked list for larger-sized chunks.

Please consider applying it. There was already an assert() for this check, this
patch simply elevates this from an assert() to a runtime check.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/17344] Enhance glibc metadata hardening with the attached patch

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17344

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security-

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
This is hardening, although it is very desirable to have.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/17344] Enhance glibc metadata hardening with the attached patch

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17344

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/17344] Enhance glibc metadata hardening with the attached patch

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17344

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  52ffbdf25a1100986f4ae27bb0febbe5a722ab25 (commit)
      from  984c0ea97f649c869130a1ff099098e2b6f70aad (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52ffbdf25a1100986f4ae27bb0febbe5a722ab25

commit 52ffbdf25a1100986f4ae27bb0febbe5a722ab25
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Sep 10 20:29:15 2014 +0200

    malloc: additional unlink hardening for non-small bins [BZ #17344]

    Turn two asserts into a conditional call to malloc_printerr.  The
    memory locations are accessed later anyway, so the performance
    impact is minor.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog       |    6 ++++++
 NEWS            |    2 +-
 malloc/malloc.c |    6 ++++--
 3 files changed, 11 insertions(+), 3 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/17344] Enhance glibc metadata hardening with the attached patch

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=17344

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in 2.21.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug malloc/17344] Enhance glibc metadata hardening with the attached patch

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=17344

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  b09adb5b46327e4a2ea354d5524280146d9c6015 (commit)
      from  94a42455257226361fedf37a0ad7fc1d9d131645 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b09adb5b46327e4a2ea354d5524280146d9c6015

commit b09adb5b46327e4a2ea354d5524280146d9c6015
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Fri Oct 31 21:21:15 2014 +0000

    Add bug 15215 to NEWS; move bug 17344 to correct version's list in NEWS.

-----------------------------------------------------------------------

Summary of changes:
 NEWS |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.