malloc: Add size check when moving fastbin->tcache

By overwriting a forward link in a fastbin chunk that is subsequently
moved into the tcache, it's possible to get malloc to return an
arbitrary address [0].

When a chunk is fetched from a fastbin, its size is checked against the
expected chunk size for that fastbin (see malloc.c:3991). This patch
adds a similar check for chunks being moved from a fastbin to tcache,
which renders obsolete the exploitation technique described above.

Now updated to use __glibc_unlikely instead of __builtin_expect, as
requested.

[0]: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/fastbin_reverse_into_tcache.c

Signed-off-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 27dfd1eb907f4615b70c70237c42c552bb4f26a8..dcac903e2a2274a9eaa64af278ba77abe714179e 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4005,6 +4005,9 @@ _int_malloc (mstate av, size_t bytes)
                    {
                      if (__glibc_unlikely (misaligned_chunk (tc_victim)))
                        malloc_printerr ("malloc(): unaligned fastbin chunk detected 3");
+                     size_t victim_tc_idx = csize2tidx (chunksize (tc_victim));
+                     if (__glibc_unlikely (tc_idx != victim_tc_idx))
+                       malloc_printerr ("malloc(): chunk size mismatch in fastbin");
                      if (SINGLE_THREAD_P)
                        *fb = REVEAL_PTR (tc_victim->fd);
                      else