From: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Date: Sat, 2 Dec 2017 10:07:17 +0000 (+0000)
Subject: cvs-malloc-hardening
X-Git-Tag: archive/raspbian/2.25-3+rpi1^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b5e30484327b2562c4035f917d7c8a04e2eb9758;p=glibc.git

cvs-malloc-hardening

2017-03-17  Chris Evans  <scarybeasts@gmail.com>

	* malloc/malloc.c (unlink): Add consistency check between size and
	next->prev->size, to further harden against 1-byte overflows.


Gbp-Pq: Topic any
Gbp-Pq: Name cvs-malloc-hardening.diff
---

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 4e076638b..88d1d167b 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1376,6 +1376,8 @@ typedef struct malloc_chunk *mbinptr;
 
 /* Take a chunk off a bin list */
 #define unlink(AV, P, BK, FD) {                                            \
+    if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0))      \
+      malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV);  \
     FD = P->fd;								      \
     BK = P->bk;								      \
     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))		      \