From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 66558 invoked by alias); 2 May 2019 12:44:42 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 66547 invoked by uid 89); 2 May 2019 12:44:42 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: aloka.lostca.se Received: from aloka.lostca.se (HELO aloka.lostca.se) (178.63.46.202) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 02 May 2019 12:44:41 +0000 Received: from aloka.lostca.se (aloka [127.0.0.1]) by aloka.lostca.se (Postfix) with ESMTP id E7EE32E25 for ; Thu, 2 May 2019 12:44:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lostca.se; h=date:from:to :subject:message-id:mime-version:content-type; s=howrah; bh=A3gz 7MEYxlDAUVLb9c6cJb7ln3w=; b=HEWWzWb7LNtR32GRcdH+LsXiuzNrIahOy88g nW3MSCWk/4p8uNuKI6cVg0AQRIgjcqchldeMVOyl8PX6zuhiF7Us/zil/ZRyhHZz KFUzXEvuzU2bW6Lj9TRbZ/SQ5Lu74NGua+dLIflQj++5K7bRrC3jpGGVpdvS5O39 E+8SclM= Received: from localhost (unknown [IPv6:2a01:4f8:120:624c::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aloka.lostca.se (Postfix) with ESMTPSA id B1C072E24 for ; Thu, 2 May 2019 12:44:38 +0000 (UTC) Date: Tue, 01 Jan 2019 00:00:00 -0000 From: Arjun Shankar To: libc-stable@sourceware.org Subject: [2.28 COMMITTED] malloc: Check for large bin list corruption when inserting unsorted chunk Message-ID: <20190502124437.GD16742@aloka.lostca.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-IsSubscribed: yes X-SW-Source: 2019-05/txt/msg00004.txt.bz2 Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers of chunks in large bin when inserting chunk from unsorted bin. It was possible to write the pointer to victim (newly inserted chunk) to arbitrary memory locations if bk or bk_nextsize pointers of the next large bin chunk got corrupted. (cherry picked from commit 5b06f538c5aee0389ed034f60d90a8884d6d54de) --- malloc/malloc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index 6ae22e61dc..0e9a2e23ec 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3869,10 +3869,14 @@ _int_malloc (mstate av, size_t bytes) { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; + if (bck->fd != fwd) + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)"); } } else -- 2.20.1