malloc: Mitigate null-byte overflow attacks

* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
(malloc_consolidate): Likewise.

(cherry picked from commit d6db68e66dff25d12c3bc5641b60cbd7fb6ab44f)

diff --git a/ChangeLog b/ChangeLog
index 44795b2e61c78f32bf58f5b81e4dc500e2789a57..e81991066ecdd453e64e96a901330d152ab343c3 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2018-08-16  DJ Delorie  <dj@delorie.com>
+
+       * malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
+       (malloc_consolidate): Likewise.
+
 2018-08-16  Pochang Chen  <johnchen902@gmail.com>
 
        * malloc/malloc.c (_int_malloc.c): Verify size of top chunk.

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 9431108626cdc0b5c1972ee00126228c8dd7166f..7c8bf8413c54c367031ca274c9bca497a45897f8 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4281,6 +4281,8 @@ _int_free (mstate av, mchunkptr p, int have_lock)
       prevsize = prev_size (p);
       size += prevsize;
       p = chunk_at_offset(p, -((long) prevsize));
+      if (__glibc_unlikely (chunksize(p) != prevsize))
+        malloc_printerr ("corrupted size vs. prev_size while consolidating");
       unlink(av, p, bck, fwd);
     }
 
@@ -4442,6 +4444,8 @@ static void malloc_consolidate(mstate av)
          prevsize = prev_size (p);
          size += prevsize;
          p = chunk_at_offset(p, -((long) prevsize));
+         if (__glibc_unlikely (chunksize(p) != prevsize))
+           malloc_printerr ("corrupted size vs. prev_size in fastbins");
          unlink(av, p, bck, fwd);
        }