diff options
| author | Adam Maris <amaris@redhat.com> | 2019-03-14 16:51:16 -0400 |
|---|---|---|
| committer | DJ Delorie <dj@redhat.com> | 2019-03-14 16:51:16 -0400 |
| commit | 5b06f538c5aee0389ed034f60d90a8884d6d54de (patch) | |
| tree | fd5924d5f840d9b42e259e346ca811a7c77506d1 /malloc | |
| parent | a0a0dc83173ce11ff45105fd32e5d14356cdfb9c (diff) | |
| download | glibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.tar glibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.tar.gz glibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.tar.bz2 glibc-5b06f538c5aee0389ed034f60d90a8884d6d54de.zip | |
malloc: Check for large bin list corruption when inserting unsorted chunk
Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
of chunks in large bin when inserting chunk from unsorted bin. It was possible
to write the pointer to victim (newly inserted chunk) to arbitrary memory
locations if bk or bk_nextsize pointers of the next large bin chunk
got corrupted.
Diffstat (limited to 'malloc')
| -rw-r--r-- | malloc/malloc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 6e766d11bc..801ba1f499 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes) { victim->fd_nextsize = fwd; victim->bk_nextsize = fwd->bk_nextsize; + if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); fwd->bk_nextsize = victim; victim->bk_nextsize->fd_nextsize = victim; } bck = fwd->bk; + if (bck->fd != fwd) + malloc_printerr ("malloc(): largebin double linked list corrupted (bk)"); } } else |