From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 45523 invoked by alias); 2 May 2019 11:57:23 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 45511 invoked by uid 89); 2 May 2019 11:57:23 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 spammy=UD:se, H*r:120, H*F:D*se, victim X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: aloka.lostca.se Received: from aloka.lostca.se (HELO aloka.lostca.se) (178.63.46.202) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 02 May 2019 11:57:22 +0000 Received: from aloka.lostca.se (aloka [127.0.0.1]) by aloka.lostca.se (Postfix) with ESMTP id A53902DF0 for ; Thu, 2 May 2019 11:57:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lostca.se; h=date:from:to :subject:message-id:mime-version:content-type; s=howrah; bh=HwHa Nqdu8Abo4BnB+PCyW4dXEzU=; b=LMZatW3kc8IvlTWwel74d036UbT7e5dei0v2 QotmJopefbp569pjzRwlaF/om3FjOUBhDnttIIaF7tS9quwvu4sM1BMJjyCAkIV6 bkL1am5sGhYCkt/bYq3ot+oy3QrJPJKcJ+qjl0eGXspobCMBEtweHMbuv4o1CGsv JHfAcik= Received: from localhost (unknown [IPv6:2a01:4f8:120:624c::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aloka.lostca.se (Postfix) with ESMTPSA id 122762DEF for ; Thu, 2 May 2019 11:57:19 +0000 (UTC) Date: Tue, 01 Jan 2019 00:00:00 -0000 From: Arjun Shankar To: libc-stable@sourceware.org Subject: [2.29 COMMITTED] malloc: Check for large bin list corruption when inserting unsorted chunk Message-ID: <20190502115557.GA15776@aloka.lostca.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-IsSubscribed: yes X-SW-Source: 2019-05/txt/msg00000.txt.bz2 Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers of chunks in large bin when inserting chunk from unsorted bin. It was possible to write the pointer to victim (newly inserted chunk) to arbitrary memory locations if bk or bk_nextsize pointers of the next large bin chunk got corrupted. (cherry picked from commit 5b06f538c5aee0389ed034f60d90a8884d6d54de) --- malloc/malloc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index feaf7ee0bf..ce771375b6 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes) { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; + if (bck->fd != fwd) + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)"); } } else -- 2.20.1