51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
From 7e40c3f804b5d5dbbc0519565b16101ab22fb899 Mon Sep 17 00:00:00 2001
|
|
From: Moritz Eckert <m.eckert@cs.ucsb.edu>
|
|
Date: Thu, 16 Aug 2018 21:08:36 -0400
|
|
Subject: [PATCH 39] malloc: Mitigate null-byte overflow attacks
|
|
|
|
* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
|
|
(malloc_consolidate): Likewise.
|
|
|
|
(cherry picked from commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f)
|
|
---
|
|
ChangeLog | 5 +++++
|
|
malloc/malloc.c | 4 ++++
|
|
2 files changed, 9 insertions(+)
|
|
|
|
diff --git a/ChangeLog b/ChangeLog
|
|
index 44795b2e61..e81991066e 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,8 @@
|
|
+2018-08-16 DJ Delorie <dj@delorie.com>
|
|
+
|
|
+ * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
|
|
+ (malloc_consolidate): Likewise.
|
|
+
|
|
2018-08-16 Pochang Chen <johnchen902@gmail.com>
|
|
|
|
* malloc/malloc.c (_int_malloc.c): Verify size of top chunk.
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
index 9431108626..7c8bf8413c 100644
|
|
--- a/malloc/malloc.c
|
|
+++ b/malloc/malloc.c
|
|
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
|
|
prevsize = prev_size (p);
|
|
size += prevsize;
|
|
p = chunk_at_offset(p, -((long) prevsize));
|
|
+ if (__glibc_unlikely (chunksize(p) != prevsize))
|
|
+ malloc_printerr ("corrupted size vs. prev_size while consolidating");
|
|
unlink(av, p, bck, fwd);
|
|
}
|
|
|
|
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
|
|
prevsize = prev_size (p);
|
|
size += prevsize;
|
|
p = chunk_at_offset(p, -((long) prevsize));
|
|
+ if (__glibc_unlikely (chunksize(p) != prevsize))
|
|
+ malloc_printerr ("corrupted size vs. prev_size in fastbins");
|
|
unlink(av, p, bck, fwd);
|
|
}
|
|
|
|
|