public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check. @ 2020-07-28 7:19 hkrawbytes at gmail dot com 2020-07-28 9:53 ` [Bug malloc/26306] " fweimer at redhat dot com ` (3 more replies) 0 siblings, 4 replies; 5+ messages in thread From: hkrawbytes at gmail dot com @ 2020-07-28 7:19 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=26306 Bug ID: 26306 Summary: Confusion in malloc.c about the fastbins size check. Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: malloc Assignee: unassigned at sourceware dot org Reporter: hkrawbytes at gmail dot com Target Milestone: --- Created attachment 12728 --> https://sourceware.org/bugzilla/attachment.cgi?id=12728&action=edit poc It looks like there's some confusion in malloc.c as to whether the fastbin index should be treated as an int or a long int during the fastbin size integrity check. The fastbin_idx macro casts the chunk size field down to an unsigned int, which is then confusingly stored as a long int for use in the integrity check. And it presents in the latest glibc versions and also in old one's. The result is that, the fastbin size integrity check only applies to the 4 least-significant bytes of the size field. Here's the POC. ``` #include<stdio.h> #include<stdlib.h> #include<string.h> int main() { char *i[7]; char *j; int s; char *k[7]; char *b; for(s = 0;s<7;s++) { i[s] = (char *) malloc(0x10); } j = (char *) malloc(0x10); for(s=0;s<7;s++) { free(i[s]); } free(j); memcpy((j - 0x8),"\x21\x00\x00\x00\x61\x61\x61\x61", 8); for(s=0;s<7;s++) { k[s] = (char *) malloc(0x10); } b = (char *) malloc(0x10); } ``` The fastbin size integrity check should check for the whole qword right?. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/26306] Confusion in malloc.c about the fastbins size check. 2020-07-28 7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com @ 2020-07-28 9:53 ` fweimer at redhat dot com 2020-07-28 10:07 ` hkrawbytes at gmail dot com ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2020-07-28 9:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=26306 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |security- --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Thanks for the report. Flagging this a security- because it is merely security hardening. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/26306] Confusion in malloc.c about the fastbins size check. 2020-07-28 7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com 2020-07-28 9:53 ` [Bug malloc/26306] " fweimer at redhat dot com @ 2020-07-28 10:07 ` hkrawbytes at gmail dot com 2020-07-28 10:08 ` hkrawbytes at gmail dot com 2020-07-31 10:01 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: hkrawbytes at gmail dot com @ 2020-07-28 10:07 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=26306 --- Comment #2 from hk <hkrawbytes at gmail dot com> --- Yes it is just a security hardening, I actually found this during ctf challenge. Is it okay if i propose a patch for this . -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/26306] Confusion in malloc.c about the fastbins size check. 2020-07-28 7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com 2020-07-28 9:53 ` [Bug malloc/26306] " fweimer at redhat dot com 2020-07-28 10:07 ` hkrawbytes at gmail dot com @ 2020-07-28 10:08 ` hkrawbytes at gmail dot com 2020-07-31 10:01 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: hkrawbytes at gmail dot com @ 2020-07-28 10:08 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=26306 --- Comment #3 from hk <hkrawbytes at gmail dot com> --- Yes it is just a security hardening, I actually found this during ctf challenge. Is it okay if i propose a patch for this . -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/26306] Confusion in malloc.c about the fastbins size check. 2020-07-28 7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com ` (2 preceding siblings ...) 2020-07-28 10:08 ` hkrawbytes at gmail dot com @ 2020-07-31 10:01 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2020-07-31 10:01 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=26306 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com --- Comment #4 from Florian Weimer <fweimer at redhat dot com> --- (In reply to hk from comment #3) > Is it okay if i propose a patch for this . How large is the patch going to be? If it changes just a few lines (fewer than 15), we don't need copyright assignment according to guidance we have received from the Free Software Foundation. For larger changes, you will have to file paperwork with the Free Software Foundation: https://sourceware.org/glibc/wiki/Contribution%20checklist#FSF_copyright_Assignment -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-31 10:01 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-07-28 7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com 2020-07-28 9:53 ` [Bug malloc/26306] " fweimer at redhat dot com 2020-07-28 10:07 ` hkrawbytes at gmail dot com 2020-07-28 10:08 ` hkrawbytes at gmail dot com 2020-07-31 10:01 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).