commit 5b06f538c5aee0389ed034f60d90a8884d6d54de

Author: Adam Maris <amaris@redhat.com>

Date:   Thu Mar 14 16:51:16 2019 -0400

    malloc: Check for large bin list corruption when inserting unsorted chunk

    Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers

    of chunks in large bin when inserting chunk from unsorted bin. It was possible

    to write the pointer to victim (newly inserted chunk) to arbitrary memory

    locations if bk or bk_nextsize pointers of the next large bin chunk

    got corrupted.

diff --git a/malloc/malloc.c b/malloc/malloc.c

index 4412a4ffc83b013b..723d393f529bdb4c 100644

--- a/malloc/malloc.c

+++ b/malloc/malloc.c

@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)

                         {

                           victim->fd_nextsize = fwd;

                           victim->bk_nextsize = fwd->bk_nextsize;

+                          if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))

+                            malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");

                           fwd->bk_nextsize = victim;

                           victim->bk_nextsize->fd_nextsize = victim;

                         }

                       bck = fwd->bk;

+                      if (bck->fd != fwd)

+                        malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");

                     }

                 }

               else