[Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check.

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug malloc/26306] New: Confusion in malloc.c  about the fastbins size check.
@ 2020-07-28  7:19 hkrawbytes at gmail dot com
  2020-07-28  9:53 ` [Bug malloc/26306] " fweimer at redhat dot com
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: hkrawbytes at gmail dot com @ 2020-07-28  7:19 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26306

            Bug ID: 26306
           Summary: Confusion in malloc.c  about the fastbins size check.
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: hkrawbytes at gmail dot com
  Target Milestone: ---

Created attachment 12728
  --> https://sourceware.org/bugzilla/attachment.cgi?id=12728&action=edit
poc

It looks like there's some confusion in malloc.c as to whether the fastbin
index should be treated as an int or a long int during the fastbin size
integrity check. The fastbin_idx macro casts the chunk size field down to an
unsigned int, which is then confusingly stored as a long int for use in the
integrity check.
And it presents in the latest glibc versions and also in old one's.
The result is that, the fastbin size integrity check only applies to the 4
least-significant bytes of the size field.

Here's the POC.

```
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

int main()
{
        char *i[7];
        char *j;
        int s;
        char *k[7];     
        char *b;
        for(s = 0;s<7;s++) {
                i[s] = (char *) malloc(0x10);
        }
        j = (char *) malloc(0x10);
        for(s=0;s<7;s++) {
                free(i[s]);
        }
        free(j);
        memcpy((j - 0x8),"\x21\x00\x00\x00\x61\x61\x61\x61", 8);                
        for(s=0;s<7;s++) {
                k[s] = (char *) malloc(0x10);
        }
        b = (char *) malloc(0x10);


}
```
The fastbin size integrity check should check for the whole qword right?.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug malloc/26306] Confusion in malloc.c  about the fastbins size check.
  2020-07-28  7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com
@ 2020-07-28  9:53 ` fweimer at redhat dot com
  2020-07-28 10:07 ` hkrawbytes at gmail dot com
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2020-07-28  9:53 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26306

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Thanks for the report. Flagging this a security- because it is merely security
hardening.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug malloc/26306] Confusion in malloc.c  about the fastbins size check.
  2020-07-28  7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com
  2020-07-28  9:53 ` [Bug malloc/26306] " fweimer at redhat dot com
@ 2020-07-28 10:07 ` hkrawbytes at gmail dot com
  2020-07-28 10:08 ` hkrawbytes at gmail dot com
  2020-07-31 10:01 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: hkrawbytes at gmail dot com @ 2020-07-28 10:07 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26306

--- Comment #2 from hk <hkrawbytes at gmail dot com> ---
Yes it is just a security hardening, I actually found this during ctf
challenge.
Is it okay if i propose a patch for this .

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug malloc/26306] Confusion in malloc.c  about the fastbins size check.
  2020-07-28  7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com
  2020-07-28  9:53 ` [Bug malloc/26306] " fweimer at redhat dot com
  2020-07-28 10:07 ` hkrawbytes at gmail dot com
@ 2020-07-28 10:08 ` hkrawbytes at gmail dot com
  2020-07-31 10:01 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: hkrawbytes at gmail dot com @ 2020-07-28 10:08 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26306

--- Comment #3 from hk <hkrawbytes at gmail dot com> ---
Yes it is just a security hardening, I actually found this during ctf
challenge.
Is it okay if i propose a patch for this .

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug malloc/26306] Confusion in malloc.c  about the fastbins size check.
  2020-07-28  7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com
                   ` (2 preceding siblings ...)
  2020-07-28 10:08 ` hkrawbytes at gmail dot com
@ 2020-07-31 10:01 ` fweimer at redhat dot com
  3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2020-07-31 10:01 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=26306

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to hk from comment #3)
> Is it okay if i propose a patch for this .

How large is the patch going to be?  If it changes just a few lines (fewer than
15), we don't need copyright assignment according to guidance we have received
from the Free Software Foundation.

For larger changes, you will have to file paperwork with the Free Software
Foundation:

https://sourceware.org/glibc/wiki/Contribution%20checklist#FSF_copyright_Assignment

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-07-31 10:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28  7:19 [Bug malloc/26306] New: Confusion in malloc.c about the fastbins size check hkrawbytes at gmail dot com
2020-07-28  9:53 ` [Bug malloc/26306] " fweimer at redhat dot com
2020-07-28 10:07 ` hkrawbytes at gmail dot com
2020-07-28 10:08 ` hkrawbytes at gmail dot com
2020-07-31 10:01 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).