From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 114509 invoked by alias); 12 Nov 2018 12:41:52 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 114207 invoked by uid 89); 12 Nov 2018 12:41:51 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=victim, heap, Chen, chen X-Spam-Status: No, score=-24.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mail-qk1-f171.google.com Received: from mail-qk1-f171.google.com (HELO mail-qk1-f171.google.com) (209.85.222.171) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 12 Nov 2018 12:41:50 +0000 Received: by mail-qk1-f171.google.com with SMTP id n12so12947039qkh.11 for ; Mon, 12 Nov 2018 04:41:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:openpgp:organization:message-id :date:user-agent:mime-version:content-language; bh=dojIsAUzu3O34Xkvp0G2aUJtSA1JSMV7ghu6bu/rZcA=; b=bOebZY0A+icqeYkVmk1asmsiM/rD4WIQ5LzPf4yH93AJZZt/ckKyMwTEzQm3wX4PIx vynPYDsCIQzMJURV8p+Dn/NY3N0npUp2cMzaugXpISldX6cvVzh23JIDPOtqJ/4zUTLB EZDaKxA6DDiRR9D1JLoir2qCVU/AwiGNItzCozA5NuS5aSz/9tgEMo7gldOsQYdW4JcO mw99Zyr4vvuHv9L1nFsadsAGHV6sPYpojuynWqZBU1W6ku26lbqCtgk3070GpHgl78/O VjEJDXL38JUX0SjRWwtX+aEAIoOxeiBGpgonnTKPu3BW+4AgomYxreQ5bBxhTIjvXcXy 5BJw== X-Gm-Message-State: AGRZ1gLJp+6LrEuTBFWJs6pvGfNd2xW+SAxssEZ2CLBBfJwnNOIRGAYM rwYMInqrMuhuV/OyCIZ7Mj39KRufs4jlIw== X-Google-Smtp-Source: AJdET5crNkkimDM/XHRJMF3P2qe/L8xY+Qp3OoTsFI7bgQ8IkHGOpD8rICxE38WJVT2pc/AQ3qhzbA== X-Received: by 2002:a0c:cb09:: with SMTP id o9mr722490qvk.96.1542026508543; Mon, 12 Nov 2018 04:41:48 -0800 (PST) Received: from [10.150.73.190] (97.sub-174-227-17.myvzw.com. [174.227.17.97]) by smtp.gmail.com with ESMTPSA id p3sm10625773qkp.48.2018.11.12.04.41.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Nov 2018 04:41:47 -0800 (PST) To: "GNU C Library (Stable)" From: Carlos O'Donell Subject: [2.28 COMMITTED] malloc: Verify size of top chunk. Openpgp: preference=signencrypt Organization: Red Hat Message-ID: <973c16b0-adf5-e860-cb89-5e566c4eb9d6@redhat.com> Date: Mon, 01 Jan 2018 00:00:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------0251D7B092C55463681A6F7F" Content-Language: en-US X-SW-Source: 2018-11/txt/msg00017.txt.bz2 This is a multi-part message in MIME format. --------------0251D7B092C55463681A6F7F Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-length: 704 Tested on x86_64. build-many-glibcs run in progress. -- The House of Force is a well-known technique to exploit heap overflow. In essence, this exploit takes three steps: 1. Overwrite the size of top chunk with very large value (e.g. -1). 2. Request x bytes from top chunk. As the size of top chunk is corrupted, x can be arbitrarily large and top chunk will still be offset by x. 3. The next allocation from top chunk will thus be controllable. If we verify the size of top chunk at step 2, we can stop such attack. (cherry picked from commit 30a17d8c95fbfb15c52d1115803b63aaa73a285c) --- ChangeLog | 4 ++++ malloc/malloc.c | 3 +++ 2 files changed, 7 insertions(+) -- Cheers, Carlos. --------------0251D7B092C55463681A6F7F Content-Type: text/x-patch; name="0002-malloc-Verify-size-of-top-chunk.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0002-malloc-Verify-size-of-top-chunk.patch" Content-length: 1684 >From 510a25f2d208e3b0c86f54b053f61c5b647e4b9b Mon Sep 17 00:00:00 2001 From: Pochang Chen Date: Thu, 16 Aug 2018 15:24:24 -0400 Subject: [PATCH 2/8] malloc: Verify size of top chunk. The House of Force is a well-known technique to exploit heap overflow. In essence, this exploit takes three steps: 1. Overwrite the size of top chunk with very large value (e.g. -1). 2. Request x bytes from top chunk. As the size of top chunk is corrupted, x can be arbitrarily large and top chunk will still be offset by x. 3. The next allocation from top chunk will thus be controllable. If we verify the size of top chunk at step 2, we can stop such attack. (cherry picked from commit 30a17d8c95fbfb15c52d1115803b63aaa73a285c) --- ChangeLog | 4 ++++ malloc/malloc.c | 3 +++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 88814e6947..44795b2e61 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2018-08-16 Pochang Chen + + * malloc/malloc.c (_int_malloc.c): Verify size of top chunk. + 2018-08-13 Joseph Myers * sysdeps/unix/sysv/linux/syscall-names.list: Update kernel diff --git a/malloc/malloc.c b/malloc/malloc.c index e247c77b7d..9431108626 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4076,6 +4076,9 @@ _int_malloc (mstate av, size_t bytes) victim = av->top; size = chunksize (victim); + if (__glibc_unlikely (size > av->system_mem)) + malloc_printerr ("malloc(): corrupted top size"); + if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) { remainder_size = size - nb; -- 2.17.2 --------------0251D7B092C55463681A6F7F--