Blame SOURCES/glibc-rh1651283-1.patch
|
 |
bdc76f |
commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f
|
|
|
bdc76f |
Author: Moritz Eckert <m.eckert@cs.ucsb.edu>
|
|
|
bdc76f |
Date: Thu Aug 16 21:08:36 2018 -0400
|
|
|
bdc76f |
|
|
|
bdc76f |
malloc: Mitigate null-byte overflow attacks
|
|
|
bdc76f |
|
|
|
bdc76f |
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
|
|
|
bdc76f |
(malloc_consolidate): Likewise.
|
|
|
bdc76f |
|
|
|
bdc76f |
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
|
bdc76f |
index 13c52f376859562d..e450597e2e527fb7 100644
|
|
|
bdc76f |
--- a/malloc/malloc.c
|
|
|
bdc76f |
+++ b/malloc/malloc.c
|
|
|
bdc76f |
@@ -4306,6 +4306,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
|
|
|
bdc76f |
prevsize = prev_size (p);
|
|
|
bdc76f |
size += prevsize;
|
|
|
bdc76f |
p = chunk_at_offset(p, -((long) prevsize));
|
|
|
bdc76f |
+ if (__glibc_unlikely (chunksize(p) != prevsize))
|
|
|
bdc76f |
+ malloc_printerr ("corrupted size vs. prev_size while consolidating");
|
|
|
bdc76f |
unlink(av, p, bck, fwd);
|
|
|
bdc76f |
}
|
|
|
bdc76f |
|
|
|
bdc76f |
@@ -4467,6 +4469,8 @@ static void malloc_consolidate(mstate av)
|
|
|
bdc76f |
prevsize = prev_size (p);
|
|
|
bdc76f |
size += prevsize;
|
|
|
bdc76f |
p = chunk_at_offset(p, -((long) prevsize));
|
|
|
bdc76f |
+ if (__glibc_unlikely (chunksize(p) != prevsize))
|
|
|
bdc76f |
+ malloc_printerr ("corrupted size vs. prev_size in fastbins");
|
|
|
bdc76f |
unlink(av, p, bck, fwd);
|
|
|
bdc76f |
}
|
|
|
bdc76f |
|