| commit 5b06f538c5aee0389ed034f60d90a8884d6d54de |
| Author: Adam Maris <amaris@redhat.com> |
| Date: Thu Mar 14 16:51:16 2019 -0400 |
| |
| malloc: Check for large bin list corruption when inserting unsorted chunk |
| |
| Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers |
| of chunks in large bin when inserting chunk from unsorted bin. It was possible |
| to write the pointer to victim (newly inserted chunk) to arbitrary memory |
| locations if bk or bk_nextsize pointers of the next large bin chunk |
| got corrupted. |
| |
| diff --git a/malloc/malloc.c b/malloc/malloc.c |
| index 4412a4ffc83b013b..723d393f529bdb4c 100644 |
| |
| |
| @@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes) |
| { |
| victim->fd_nextsize = fwd; |
| victim->bk_nextsize = fwd->bk_nextsize; |
| + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) |
| + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); |
| fwd->bk_nextsize = victim; |
| victim->bk_nextsize->fd_nextsize = victim; |
| } |
| bck = fwd->bk; |
| + if (bck->fd != fwd) |
| + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)"); |
| } |
| } |
| else |