diff options
| author | Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> | 2025-02-11 14:29:51 -0500 |
|---|---|---|
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2025-02-13 16:31:28 -0300 |
| commit | d10176c0ffeadbc0bcd443741f53ebd85e70db44 (patch) | |
| tree | a222f17cc39ec66b9ca7e2c895a37c6b49bdeb56 | |
| parent | 6a3cb6b1bd63e167fc525cce07010ff78197b271 (diff) | |
| download | glibc-d10176c0ffeadbc0bcd443741f53ebd85e70db44.tar.xz glibc-d10176c0ffeadbc0bcd443741f53ebd85e70db44.zip | |
malloc: Add size check when moving fastbin->tcache
By overwriting a forward link in a fastbin chunk that is subsequently
moved into the tcache, it's possible to get malloc to return an
arbitrary address [0].
When a chunk is fetched from a fastbin, its size is checked against the
expected chunk size for that fastbin (see malloc.c:3991). This patch
adds a similar check for chunks being moved from a fastbin to tcache,
which renders obsolete the exploitation technique described above.
Now updated to use __glibc_unlikely instead of __builtin_expect, as
requested.
[0]: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/fastbin_reverse_into_tcache.c
Signed-off-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
| -rw-r--r-- | malloc/malloc.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index 27dfd1eb90..dcac903e2a 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4005,6 +4005,9 @@ _int_malloc (mstate av, size_t bytes) { if (__glibc_unlikely (misaligned_chunk (tc_victim))) malloc_printerr ("malloc(): unaligned fastbin chunk detected 3"); + size_t victim_tc_idx = csize2tidx (chunksize (tc_victim)); + if (__glibc_unlikely (tc_idx != victim_tc_idx)) + malloc_printerr ("malloc(): chunk size mismatch in fastbin"); if (SINGLE_THREAD_P) *fb = REVEAL_PTR (tc_victim->fd); else |