aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Maris <amaris@redhat.com>2019-03-14 16:51:16 -0400
committerDJ Delorie <dj@redhat.com>2019-03-14 16:51:16 -0400
commit5b06f538c5aee0389ed034f60d90a8884d6d54de (patch)
treefd5924d5f840d9b42e259e346ca811a7c77506d1
parenta0a0dc83173ce11ff45105fd32e5d14356cdfb9c (diff)
downloadglibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.zip
glibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.tar.gz
glibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.tar.bz2
malloc: Check for large bin list corruption when inserting unsorted chunk
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers of chunks in large bin when inserting chunk from unsorted bin. It was possible to write the pointer to victim (newly inserted chunk) to arbitrary memory locations if bk or bk_nextsize pointers of the next large bin chunk got corrupted.
-rw-r--r--malloc/malloc.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6e766d1..801ba1f 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
{
victim->fd_nextsize = fwd;
victim->bk_nextsize = fwd->bk_nextsize;
+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
fwd->bk_nextsize = victim;
victim->bk_nextsize->fd_nextsize = victim;
}
bck = fwd->bk;
+ if (bck->fd != fwd)
+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
}
}
else