From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 417C23858D35; Tue, 28 Jul 2020 07:19:38 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 417C23858D35
From: "hkrawbytes at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/26306] New: Confusion in malloc.c  about the fastbins
 size check.
Date: Tue, 28 Jul 2020 07:19:38 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: malloc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: hkrawbytes at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 attachments.created
Message-ID: <bug-26306-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 07:19:38 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D26306

            Bug ID: 26306
           Summary: Confusion in malloc.c  about the fastbins size check.
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: malloc
          Assignee: unassigned at sourceware dot org
          Reporter: hkrawbytes at gmail dot com
  Target Milestone: ---

Created attachment 12728
  --> https://sourceware.org/bugzilla/attachment.cgi?id=3D12728&action=3Ded=
it
poc

It looks like there's some confusion in malloc.c as to whether the fastbin
index should be treated as an int or a long int during the fastbin size
integrity check. The fastbin_idx macro casts the chunk size field down to an
unsigned int, which is then confusingly stored as a long int for use in the
integrity check.
And it presents in the latest glibc versions and also in old one's.
The result is that, the fastbin size integrity check only applies to the 4
least-significant bytes of the size field.

Here's the POC.

```
#include<stdio.h>
#include<stdlib.h>
#include<string.h>

int main()
{
        char *i[7];
        char *j;
        int s;
        char *k[7];=20=20=20=20=20
        char *b;
        for(s =3D 0;s<7;s++) {
                i[s] =3D (char *) malloc(0x10);
        }
        j =3D (char *) malloc(0x10);
        for(s=3D0;s<7;s++) {
                free(i[s]);
        }
        free(j);
        memcpy((j - 0x8),"\x21\x00\x00\x00\x61\x61\x61\x61", 8);=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20
        for(s=3D0;s<7;s++) {
                k[s] =3D (char *) malloc(0x10);
        }
        b =3D (char *) malloc(0x10);


}
```
The fastbin size integrity check should check for the whole qword right?.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=