| commit 30a17d8c95fbfb15c52d1115803b63aaa73a285c |
| Author: Pochang Chen <johnchen902@gmail.com> |
| Date: Thu Aug 16 15:24:24 2018 -0400 |
| |
| malloc: Verify size of top chunk. |
| |
| The House of Force is a well-known technique to exploit heap |
| overflow. In essence, this exploit takes three steps: |
| 1. Overwrite the size of top chunk with very large value (e.g. -1). |
| 2. Request x bytes from top chunk. As the size of top chunk |
| is corrupted, x can be arbitrarily large and top chunk will |
| still be offset by x. |
| 3. The next allocation from top chunk will thus be controllable. |
| |
| If we verify the size of top chunk at step 2, we can stop such attack. |
| |
| diff --git a/malloc/malloc.c b/malloc/malloc.c |
| index e450597e2e527fb7..d8d4581a9dcea80a 100644 |
| |
| |
| @@ -4084,6 +4084,9 @@ _int_malloc (mstate av, size_t bytes) |
| victim = av->top; |
| size = chunksize (victim); |
| |
| + if (__glibc_unlikely (size > av->system_mem)) |
| + malloc_printerr ("malloc(): corrupted top size"); |
| + |
| if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE)) |
| { |
| remainder_size = size - nb; |