From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-818-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 122673 invoked by alias); 12 Nov 2018 12:42:06 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 122338 invoked by uid 89); 12 Nov 2018 12:42:06 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-24.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=corrupt
X-Spam-Status: No, score=-24.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mail-qk1-f181.google.com
Received: from mail-qk1-f181.google.com (HELO mail-qk1-f181.google.com) (209.85.222.181) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 12 Nov 2018 12:42:04 +0000
Received: by mail-qk1-f181.google.com with SMTP id r71so12934583qkr.10        for <libc-stable@sourceware.org>; Mon, 12 Nov 2018 04:42:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:to:from:subject:openpgp:organization:message-id         :date:user-agent:mime-version:content-language;        bh=kHSmuMj/BfeouTOAXqb/kxjbJsI460WIvsPMvMybgaM=;        b=ntqwcNmFgi4iMuBJECtRL5Iqb+I8AfOOYs0wElso2HIeqHnuSgEwBkxJBFqHGuU70W         SOLZ53J6/cL/zABhbbaJFzq3PR58spBHX4Bt2/68R+iHSvu2/oJyRUeUw/h51dBNKD+z         5jtIZDwe6fFRTl5diHlXiGoP/Ls7sHJKkkQslAQIz4lR+c072BIJuV53cW/NAv09Mfy3         8bQX0woQOJKBBcQcrYy3GBQzq8iL9fHJGRUH3zEK0qfj9KhNMP71XXw12l8sz7L5v6e/         FtMNL9SFZCFh4EEsfJIgJgzJV61vU5av7uzJlXVm52gWfRb9wa5zTm/Y/7q0088vV3Ly         lBgw==
X-Gm-Message-State: AGRZ1gKk2sR+kBSWm10BwUNYkao5kp9sM3ZNODQA15WeqmzYHMO9T9n3	tsVyHYp/yLKkBdZTkh50Gc0Q1DDV0u2L3A==
X-Google-Smtp-Source: AJdET5cyJErh5zmtt9KXCfqJSgiMZ8WoA4+L4EzZ9Aa6WD+39YjYf8TVUhgklCTV8DDWPNKpmMSyiw==
X-Received: by 2002:ae9:f212:: with SMTP id m18mr650548qkg.5.1542026523014;        Mon, 12 Nov 2018 04:42:03 -0800 (PST)
Received: from [10.150.73.190] (97.sub-174-227-17.myvzw.com. [174.227.17.97])        by smtp.gmail.com with ESMTPSA id n71sm684245qkh.59.2018.11.12.04.42.01        for <libc-stable@sourceware.org>        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);        Mon, 12 Nov 2018 04:42:02 -0800 (PST)
To: "GNU C Library (Stable)" <libc-stable@sourceware.org>
From: Carlos O'Donell <carlos@redhat.com>
Subject: [2.28 COMMITTED] malloc: Mitigate null-byte overflow attacks
Openpgp: preference=signencrypt
Organization: Red Hat
Message-ID: <ca9449ef-7e4c-3e52-9a8a-9c644708b0cf@redhat.com>
Date: Mon, 01 Jan 2018 00:00:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------396A510AFC8A78E3BD02AEE4"
Content-Language: en-US
X-SW-Source: 2018-11/txt/msg00018.txt.bz2

This is a multi-part message in MIME format.
--------------396A510AFC8A78E3BD02AEE4
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-length: 338

Tested on x86_64. build-many-glibcs run in progress.
--
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.

(cherry picked from commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f)
---
 ChangeLog       | 5 +++++
 malloc/malloc.c | 4 ++++
 2 files changed, 9 insertions(+)

-- 
Cheers,
Carlos.

--------------396A510AFC8A78E3BD02AEE4
Content-Type: text/x-patch;
 name="0003-malloc-Mitigate-null-byte-overflow-attacks.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0003-malloc-Mitigate-null-byte-overflow-attacks.patch"
Content-length: 1682

>From 7e40c3f804b5d5dbbc0519565b16101ab22fb899 Mon Sep 17 00:00:00 2001
From: Moritz Eckert <m.eckert@cs.ucsb.edu>
Date: Thu, 16 Aug 2018 21:08:36 -0400
Subject: [PATCH 3/8] malloc: Mitigate null-byte overflow attacks

* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.

(cherry picked from commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f)
---
 ChangeLog       | 5 +++++
 malloc/malloc.c | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 44795b2e61..e81991066e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-16  DJ Delorie  <dj@delorie.com>
+
+	* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
+	(malloc_consolidate): Likewise.
+
 2018-08-16  Pochang Chen  <johnchen902@gmail.com>
 
 	* malloc/malloc.c (_int_malloc.c): Verify size of top chunk.
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9431108626..7c8bf8413c 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
       prevsize = prev_size (p);
       size += prevsize;
       p = chunk_at_offset(p, -((long) prevsize));
+      if (__glibc_unlikely (chunksize(p) != prevsize))
+        malloc_printerr ("corrupted size vs. prev_size while consolidating");
       unlink(av, p, bck, fwd);
     }
 
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
 	  prevsize = prev_size (p);
 	  size += prevsize;
 	  p = chunk_at_offset(p, -((long) prevsize));
+	  if (__glibc_unlikely (chunksize(p) != prevsize))
+	    malloc_printerr ("corrupted size vs. prev_size in fastbins");
 	  unlink(av, p, bck, fwd);
 	}
 
-- 
2.17.2


--------------396A510AFC8A78E3BD02AEE4--