From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-86854-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 68399 invoked by alias); 7 Nov 2017 15:27:25 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 67626 invoked by uid 89); 7 Nov 2017 15:27:24 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-6.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM,GIT_PATCH_2,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=ham version=3.3.2 spammy=beside, abused, techniques, attacker
X-HELO: mail-wm0-f47.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=ecwHsHqhC9FluQGVzD/xDpez9CqGS9UkJ34b/MlMNto=;
        b=lni8vNwkjsZW7FLozulABAodlOAZgy3I4/MLbtTfmrNjvhhfWfm6DEU1NCn5Kut0AF
         zv8iv5zEeV8PU1MNnCrBeaVgtpkndK0i5sb7jUoSFuyMf3AB5SatqNOjEYtwYhwJxRcz
         8OhyBYh7UWyNlgkF0P9p619aS+vVoOJ+K9XUMlW8fDBnUG5K4nz263fvY7mS0isFQY+Y
         85jmBfqRpEi+8e09yx/BYdCTHO3L1iz0Y8ERvLxN2VYV75TwWwrrxUDu5ADyC4Em5szV
         xu76UocCHRYjXVsKSC3HOPyS3oU0oWeN4dvJ2MmZLsUfbOHgoPvhPMz98Z6BRGv38fKK
         h2Sg==
X-Gm-Message-State: AJaThX7YE1M5jhe5mu73OSPasm87U1SSTBSR+yh0Pbrngyj9VNqMrhHl
	Qh0WBTlnifLPDK6FIYphROxnC+B6
X-Google-Smtp-Source: ABhQp+Sei0EipUII8x5TMxnP5k1HdOP9i7A9Yz/2txsuPLoFI5hXGL7VVeHTgDnC9NQm8hCk9VTH6g==
X-Received: by 10.28.32.136 with SMTP id g130mr1833321wmg.102.1510068440727;
        Tue, 07 Nov 2017 07:27:20 -0800 (PST)
From: Istvan Kurucsai <pistukem@gmail.com>
To: libc-alpha@sourceware.org
Cc: Istvan Kurucsai <pistukem@gmail.com>
Subject: [PATCH v2 0/7] Additional integrity checks for the malloc
Date: Tue, 07 Nov 2017 15:27:00 -0000
Message-Id: <1510068430-27816-1-git-send-email-pistukem@gmail.com>
X-SW-Source: 2017-11/txt/msg00229.txt.bz2

This is an actualized version of a patch set I submitted previously [8].

The patch set tries to improve on the current integrity checks in malloc. The
goal was to eliminate known exploitation techniques with the simplest possible
changes. 

The tests passed but I did no profiling. The performance impact of the mmap
related parts shouldn't be noticeable, the others I'm not sure about. I already
did copyright assignment.

A quick overview of the individual patches:

(1/7) An attempt at hardening the `use_top` part of malloc against corruption
and pivoting of the top chunk, known as the House of Force [1]. The possibility
of extending the top chunk from an mmapped arena into another remains. Note
that this is almost identical to a recently submitted patch [9].

(2/7) The binning code in malloc is rather attacker-friendly [2][3]. Change
this by enforcing as many invariants as possible on chunks from the unsorted
bin.

(3/7) `malloc_consolidate` contains no integrity checks beside the ones in
`unlink`. This can be abused by an attacker in a couple of ways [4]. The patch
limits the possibilities significantly.

(4/7) Fix an unsigned underflow and subsequent wild memcpy that can be
triggered by a corrupted chunk size in `__libc_realloc` [5].

(5/7) By corrupting the `IS_MMAPPED` bit of a free chunk, an attacker can force
calloc to return an uninitialized chunk [6]. The patch adds checks to the
`IS_MMAPPED` path in calloc, even though the protection is not complete.

(6/7), (7/7): Additional checks around the unmapping and remapping of chunks,
which are abusable in different ways [7]. Also feels somewhat incomplete but
still an improvement.


[1]: https://github.com/shellphish/how2heap/blob/master/house_of_force.c
[2]: https://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf
[3]: https://github.com/shellphish/how2heap/blob/master/unsorted_bin_attack.c
[4]: http://tukan.farm/2016/09/04/fastbin-fever/
[5]: http://tukan.farm/2016/11/03/once-upon-a-realloc/
[6]: http://tukan.farm/2016/10/14/scraps-of-notes/
[7]: http://tukan.farm/2016/07/27/munmap-madness/
[8]: https://sourceware.org/ml/libc-alpha/2017-05/msg00899.html
[9]: https://sourceware.org/ml/libc-alpha/2017-10/msg01202.html


Istvan Kurucsai (7):
  malloc: Add check for top size corruption.
  malloc: Additional checks for unsorted bin integrity I.
  malloc: Ensure that the consolidated fast chunk has a sane size.
  malloc: Ensure lower bound on chunk size in __libc_realloc.
  malloc: Verify the integrity of mmapped chunks in calloc.
  malloc: Add more integrity checks to mremap_chunk.
  malloc: Check the alignment of mmapped chunks before unmapping.

 malloc/malloc.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 50 insertions(+), 10 deletions(-)

-- 
2.7.4