76b6d9
From 49c3c37651e2d2ec4ff8ce21252bbbc08a9d6639 Mon Sep 17 00:00:00 2001
76b6d9
From: Eyal Itkin <eyalit@checkpoint.com>
76b6d9
Date: Tue, 31 Mar 2020 02:00:14 -0400
76b6d9
Subject: Fix alignment bug in Safe-Linking
76b6d9
76b6d9
Alignment checks should be performed on the user's buffer and NOT
76b6d9
on the mchunkptr as was done before. This caused bugs in 32 bit
76b6d9
versions, because: 2*sizeof(t) != MALLOC_ALIGNMENT.
76b6d9
76b6d9
As the tcache works on users' buffers it uses the aligned_OK()
76b6d9
check, and the rest work on mchunkptr and therefore check using
76b6d9
misaligned_chunk().
76b6d9
76b6d9
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
76b6d9
76b6d9
diff --git a/malloc/malloc.c b/malloc/malloc.c
76b6d9
index 0e4acb22f6..6acb5ad43a 100644
76b6d9
--- a/malloc/malloc.c
76b6d9
+++ b/malloc/malloc.c
76b6d9
@@ -2169,7 +2169,7 @@ do_check_malloc_state (mstate av)
76b6d9
 
76b6d9
       while (p != 0)
76b6d9
         {
76b6d9
-	  if (__glibc_unlikely (!aligned_OK (p)))
76b6d9
+	  if (__glibc_unlikely (misaligned_chunk (p)))
76b6d9
 	    malloc_printerr ("do_check_malloc_state(): "
76b6d9
 			     "unaligned fastbin chunk detected");
76b6d9
           /* each chunk claims to be inuse */
76b6d9
@@ -2949,11 +2949,11 @@ static __always_inline void *
76b6d9
 tcache_get (size_t tc_idx)
76b6d9
 {
76b6d9
   tcache_entry *e = tcache->entries[tc_idx];
76b6d9
+  if (__glibc_unlikely (!aligned_OK (e)))
76b6d9
+    malloc_printerr ("malloc(): unaligned tcache chunk detected");
76b6d9
   tcache->entries[tc_idx] = REVEAL_PTR (e->next);
76b6d9
   --(tcache->counts[tc_idx]);
76b6d9
   e->key = NULL;
76b6d9
-  if (__glibc_unlikely (!aligned_OK (e)))
76b6d9
-    malloc_printerr ("malloc(): unaligned tcache chunk detected");
76b6d9
   return (void *) e;
76b6d9
 }
76b6d9
 
76b6d9
@@ -3591,7 +3591,7 @@ _int_malloc (mstate av, size_t bytes)
76b6d9
       if (victim == NULL)				\
76b6d9
 	break;						\
76b6d9
       pp = REVEAL_PTR (victim->fd);                                     \
76b6d9
-      if (__glibc_unlikely (!aligned_OK (pp)))                          \
76b6d9
+      if (__glibc_unlikely (pp != NULL && misaligned_chunk (pp)))       \
76b6d9
 	malloc_printerr ("malloc(): unaligned fastbin chunk detected"); \
76b6d9
     }							\
76b6d9
   while ((pp = catomic_compare_and_exchange_val_acq (fb, pp, victim)) \
76b6d9
@@ -3606,8 +3606,8 @@ _int_malloc (mstate av, size_t bytes)
76b6d9
 
76b6d9
       if (victim != NULL)
76b6d9
 	{
76b6d9
-	  if (__glibc_unlikely (!aligned_OK (victim)))
76b6d9
-	    malloc_printerr ("malloc(): unaligned fastbin chunk detected");
76b6d9
+	  if (__glibc_unlikely (misaligned_chunk (victim)))
76b6d9
+	    malloc_printerr ("malloc(): unaligned fastbin chunk detected 2");
76b6d9
 
76b6d9
 	  if (SINGLE_THREAD_P)
76b6d9
 	    *fb = REVEAL_PTR (victim->fd);
76b6d9
@@ -3631,8 +3631,8 @@ _int_malloc (mstate av, size_t bytes)
76b6d9
 		  while (tcache->counts[tc_idx] < mp_.tcache_count
76b6d9
 			 && (tc_victim = *fb) != NULL)
76b6d9
 		    {
76b6d9
-		      if (__glibc_unlikely (!aligned_OK (tc_victim)))
76b6d9
-			malloc_printerr ("malloc(): unaligned fastbin chunk detected");
76b6d9
+		      if (__glibc_unlikely (misaligned_chunk (tc_victim)))
76b6d9
+			malloc_printerr ("malloc(): unaligned fastbin chunk detected 3");
76b6d9
 		      if (SINGLE_THREAD_P)
76b6d9
 			*fb = REVEAL_PTR (tc_victim->fd);
76b6d9
 		      else
76b6d9
@@ -4505,7 +4505,7 @@ static void malloc_consolidate(mstate av)
76b6d9
     if (p != 0) {
76b6d9
       do {
76b6d9
 	{
76b6d9
-	  if (__glibc_unlikely (!aligned_OK (p)))
76b6d9
+	  if (__glibc_unlikely (misaligned_chunk (p)))
76b6d9
 	    malloc_printerr ("malloc_consolidate(): "
76b6d9
 			     "unaligned fastbin chunk detected");
76b6d9
 
76b6d9
@@ -4937,7 +4937,7 @@ int_mallinfo (mstate av, struct mallinfo *m)
76b6d9
 	   p != 0;
76b6d9
 	   p = REVEAL_PTR (p->fd))
76b6d9
         {
76b6d9
-	  if (__glibc_unlikely (!aligned_OK (p)))
76b6d9
+	  if (__glibc_unlikely (misaligned_chunk (p)))
76b6d9
 	    malloc_printerr ("int_mallinfo(): "
76b6d9
 			     "unaligned fastbin chunk detected");
76b6d9
           ++nfastblocks;
76b6d9
@@ -5479,7 +5479,7 @@ __malloc_info (int options, FILE *fp)
76b6d9
 
76b6d9
 	      while (p != NULL)
76b6d9
 		{
76b6d9
-		  if (__glibc_unlikely (!aligned_OK (p)))
76b6d9
+		  if (__glibc_unlikely (misaligned_chunk (p)))
76b6d9
 		    malloc_printerr ("__malloc_info(): "
76b6d9
 				     "unaligned fastbin chunk detected");
76b6d9
 		  ++nthissize;