bdc76f
commit 5b06f538c5aee0389ed034f60d90a8884d6d54de
bdc76f
Author: Adam Maris <amaris@redhat.com>
bdc76f
Date:   Thu Mar 14 16:51:16 2019 -0400
bdc76f
bdc76f
    malloc: Check for large bin list corruption when inserting unsorted chunk
bdc76f
    
bdc76f
    Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
bdc76f
    of chunks in large bin when inserting chunk from unsorted bin. It was possible
bdc76f
    to write the pointer to victim (newly inserted chunk) to arbitrary memory
bdc76f
    locations if bk or bk_nextsize pointers of the next large bin chunk
bdc76f
    got corrupted.
bdc76f
bdc76f
diff --git a/malloc/malloc.c b/malloc/malloc.c
bdc76f
index 4412a4ffc83b013b..723d393f529bdb4c 100644
bdc76f
--- a/malloc/malloc.c
bdc76f
+++ b/malloc/malloc.c
bdc76f
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
bdc76f
                         {
bdc76f
                           victim->fd_nextsize = fwd;
bdc76f
                           victim->bk_nextsize = fwd->bk_nextsize;
bdc76f
+                          if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
bdc76f
+                            malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
bdc76f
                           fwd->bk_nextsize = victim;
bdc76f
                           victim->bk_nextsize->fd_nextsize = victim;
bdc76f
                         }
bdc76f
                       bck = fwd->bk;
bdc76f
+                      if (bck->fd != fwd)
bdc76f
+                        malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
bdc76f
                     }
bdc76f
                 }
bdc76f
               else