diff options
| author | Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> | 2025-02-14 00:34:54 -0500 |
|---|---|---|
| committer | DJ Delorie <dj@redhat.com> | 2025-03-03 18:31:27 -0500 |
| commit | 4cf2d869367e3813c6c8f662915dedb1f3830c53 (patch) | |
| tree | 6722ce7030179315d44392ddf9333dddf7f6fc1f /malloc | |
| parent | 8c6fee9f7f4c09bf96766942fdd430f8beb638b0 (diff) | |
| download | glibc-4cf2d869367e3813c6c8f662915dedb1f3830c53.tar.xz glibc-4cf2d869367e3813c6c8f662915dedb1f3830c53.zip | |
malloc: Add integrity check to largebin nextsizes
If attacker overwrites the bk_nextsize link in the first chunk of a
largebin that later has a smaller chunk inserted into it, malloc will
write a heap pointer into an attacker-controlled address [0].
This patch adds an integrity check to mitigate this attack.
[0]: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/large_bin_attack.c
Signed-off-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'malloc')
| -rw-r--r-- | malloc/malloc.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/malloc/malloc.c b/malloc/malloc.c index dcac903e2a..931ca48112 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -4244,6 +4244,9 @@ _int_malloc (mstate av, size_t bytes) fwd = bck; bck = bck->bk; + if (__glibc_unlikely (fwd->fd->bk_nextsize->fd_nextsize != fwd->fd)) + malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)"); + victim->fd_nextsize = fwd->fd; victim->bk_nextsize = fwd->fd->bk_nextsize; fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim; |