projects / glibc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fba01d8)
cvs-malloc-hardening
authorGNU Libc Maintainers <debian-glibc@lists.debian.org>
Sat, 26 Aug 2017 09:09:24 +0000 (10:09 +0100)
committerAurelien Jarno <aurel32@debian.org>
Sat, 26 Aug 2017 09:09:24 +0000 (10:09 +0100)
2017-03-17  Chris Evans  <scarybeasts@gmail.com>

* malloc/malloc.c (unlink): Add consistency check between size and
next->prev->size, to further harden against 1-byte overflows.

2016-10-27  Florian Weimer  <fweimer@redhat.com>

* malloc/malloc.c (sysmalloc): Initialize previous size field of
mmaped chunks.

Gbp-Pq: Topic any
Gbp-Pq: Name cvs-malloc-hardening.diff

malloc/malloc.c patch | blob | history

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 1f5f166ea2ecdf601546b4157e3a291dd5c330a4..37a373c7e01b6687a89b70846f7722f9269356c3 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1405,6 +1405,8 @@ typedef struct malloc_chunk *mbinptr;
 
 /* Take a chunk off a bin list */
 #define unlink(AV, P, BK, FD) {                                            \
+    if (__builtin_expect (chunksize(P) != next_chunk(P)->prev_size, 0))      \
+      malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV);  \
     FD = P->fd;                                                                      \
     BK = P->bk;                                                                      \
     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                    \
@@ -2361,6 +2363,7 @@ sysmalloc (INTERNAL_SIZE_T nb, mstate av)
               else
                 {
                   p = (mchunkptr) mm;
+                 p->prev_size = 0;
                   set_head (p, size | IS_MMAPPED);
                 }
 
Unnamed repository; edit this file 'description' to name the repository.