* [2.28 COMMITTED] malloc: Check for large bin list corruption when inserting unsorted chunk
@ 2019-01-01 0:00 Arjun Shankar
0 siblings, 0 replies; only message in thread
From: Arjun Shankar @ 2019-01-01 0:00 UTC (permalink / raw)
To: libc-stable
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
of chunks in large bin when inserting chunk from unsorted bin. It was possible
to write the pointer to victim (newly inserted chunk) to arbitrary memory
locations if bk or bk_nextsize pointers of the next large bin chunk
got corrupted.
(cherry picked from commit 5b06f538c5aee0389ed034f60d90a8884d6d54de)
---
malloc/malloc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6ae22e61dc..0e9a2e23ec 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3869,10 +3869,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else
--
2.20.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-05-02 12:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-01 0:00 [2.28 COMMITTED] malloc: Check for large bin list corruption when inserting unsorted chunk Arjun Shankar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).