From 49c3c37651e2d2ec4ff8ce21252bbbc08a9d6639 Mon Sep 17 00:00:00 2001

From: Eyal Itkin <eyalit@checkpoint.com>

Date: Tue, 31 Mar 2020 02:00:14 -0400

Subject: Fix alignment bug in Safe-Linking

Alignment checks should be performed on the user's buffer and NOT

on the mchunkptr as was done before. This caused bugs in 32 bit

versions, because: 2*sizeof(t) != MALLOC_ALIGNMENT.

As the tcache works on users' buffers it uses the aligned_OK()

check, and the rest work on mchunkptr and therefore check using

misaligned_chunk().

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/malloc/malloc.c b/malloc/malloc.c

index 0e4acb22f6..6acb5ad43a 100644

--- a/malloc/malloc.c

+++ b/malloc/malloc.c

@@ -2169,7 +2169,7 @@ do_check_malloc_state (mstate av)

       while (p != 0)

         {

-	  if (__glibc_unlikely (!aligned_OK (p)))

+	  if (__glibc_unlikely (misaligned_chunk (p)))

 	    malloc_printerr ("do_check_malloc_state(): "

 			     "unaligned fastbin chunk detected");

           /* each chunk claims to be inuse */

@@ -2949,11 +2949,11 @@ static __always_inline void *

 tcache_get (size_t tc_idx)

 {

   tcache_entry *e = tcache->entries[tc_idx];

+  if (__glibc_unlikely (!aligned_OK (e)))

+    malloc_printerr ("malloc(): unaligned tcache chunk detected");

   tcache->entries[tc_idx] = REVEAL_PTR (e->next);

   --(tcache->counts[tc_idx]);

   e->key = NULL;

-  if (__glibc_unlikely (!aligned_OK (e)))

-    malloc_printerr ("malloc(): unaligned tcache chunk detected");

   return (void *) e;

 }

@@ -3591,7 +3591,7 @@ _int_malloc (mstate av, size_t bytes)

       if (victim == NULL)				\

 	break;						\

       pp = REVEAL_PTR (victim->fd);                                     \

-      if (__glibc_unlikely (!aligned_OK (pp)))                          \

+      if (__glibc_unlikely (pp != NULL && misaligned_chunk (pp)))       \

 	malloc_printerr ("malloc(): unaligned fastbin chunk detected"); \

     }							\

   while ((pp = catomic_compare_and_exchange_val_acq (fb, pp, victim)) \

@@ -3606,8 +3606,8 @@ _int_malloc (mstate av, size_t bytes)

       if (victim != NULL)

 	{

-	  if (__glibc_unlikely (!aligned_OK (victim)))

-	    malloc_printerr ("malloc(): unaligned fastbin chunk detected");

+	  if (__glibc_unlikely (misaligned_chunk (victim)))

+	    malloc_printerr ("malloc(): unaligned fastbin chunk detected 2");

 	  if (SINGLE_THREAD_P)

 	    *fb = REVEAL_PTR (victim->fd);

@@ -3631,8 +3631,8 @@ _int_malloc (mstate av, size_t bytes)

 		  while (tcache->counts[tc_idx] < mp_.tcache_count

 			 && (tc_victim = *fb) != NULL)

 		    {

-		      if (__glibc_unlikely (!aligned_OK (tc_victim)))

-			malloc_printerr ("malloc(): unaligned fastbin chunk detected");

+		      if (__glibc_unlikely (misaligned_chunk (tc_victim)))

+			malloc_printerr ("malloc(): unaligned fastbin chunk detected 3");

 		      if (SINGLE_THREAD_P)

 			*fb = REVEAL_PTR (tc_victim->fd);

 		      else

@@ -4505,7 +4505,7 @@ static void malloc_consolidate(mstate av)

     if (p != 0) {

       do {

 	{

-	  if (__glibc_unlikely (!aligned_OK (p)))

+	  if (__glibc_unlikely (misaligned_chunk (p)))

 	    malloc_printerr ("malloc_consolidate(): "

 			     "unaligned fastbin chunk detected");

@@ -4937,7 +4937,7 @@ int_mallinfo (mstate av, struct mallinfo *m)

 	   p != 0;

 	   p = REVEAL_PTR (p->fd))

         {

-	  if (__glibc_unlikely (!aligned_OK (p)))

+	  if (__glibc_unlikely (misaligned_chunk (p)))

 	    malloc_printerr ("int_mallinfo(): "

 			     "unaligned fastbin chunk detected");

           ++nfastblocks;

@@ -5479,7 +5479,7 @@ __malloc_info (int options, FILE *fp)

 	      while (p != NULL)

 		{

-		  if (__glibc_unlikely (!aligned_OK (p)))

+		  if (__glibc_unlikely (misaligned_chunk (p)))

 		    malloc_printerr ("__malloc_info(): "

 				     "unaligned fastbin chunk detected");

 		  ++nthissize;