You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
32 lines
1.5 KiB
32 lines
1.5 KiB
2 years ago
|
commit 5b06f538c5aee0389ed034f60d90a8884d6d54de
|
||
|
Author: Adam Maris <amaris@redhat.com>
|
||
|
Date: Thu Mar 14 16:51:16 2019 -0400
|
||
|
|
||
|
malloc: Check for large bin list corruption when inserting unsorted chunk
|
||
|
|
||
|
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
|
||
|
of chunks in large bin when inserting chunk from unsorted bin. It was possible
|
||
|
to write the pointer to victim (newly inserted chunk) to arbitrary memory
|
||
|
locations if bk or bk_nextsize pointers of the next large bin chunk
|
||
|
got corrupted.
|
||
|
|
||
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
||
|
index 4412a4ffc83b013b..723d393f529bdb4c 100644
|
||
|
--- a/malloc/malloc.c
|
||
|
+++ b/malloc/malloc.c
|
||
|
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
|
||
|
{
|
||
|
victim->fd_nextsize = fwd;
|
||
|
victim->bk_nextsize = fwd->bk_nextsize;
|
||
|
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
|
||
|
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
|
||
|
fwd->bk_nextsize = victim;
|
||
|
victim->bk_nextsize->fd_nextsize = victim;
|
||
|
}
|
||
|
bck = fwd->bk;
|
||
|
+ if (bck->fd != fwd)
|
||
|
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
|
||
|
}
|
||
|
}
|
||
|
else
|