From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 10 Sep 2014 18:29:15 +0000 (+0200)
Subject: malloc: additional unlink hardening for non-small bins [BZ #17344]
X-Git-Tag: glibc-2.21~571
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52ffbdf25a1100986f4ae27bb0febbe5a722ab25;p=thirdparty%2Fglibc.git

malloc: additional unlink hardening for non-small bins [BZ #17344]

Turn two asserts into a conditional call to malloc_printerr.  The
memory locations are accessed later anyway, so the performance
impact is minor.
---

diff --git a/ChangeLog b/ChangeLog
index 0377062999e..71c9671895c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2014-09-11  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #17344]
+	* malloc/malloc.c (unlink): Turn asserts into a call to
+	malloc_printerr.
+
 2014-09-11  Tim Lammens  <tim.lammens@gmail.com>
 
 	[BZ #17370]
diff --git a/NEWS b/NEWS
index c607d124858..680c265c685 100644
--- a/NEWS
+++ b/NEWS
@@ -29,7 +29,7 @@ Version 2.20
   16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
   17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
   17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
-  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354.
+  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17344, 17354.
 
 * Reverted change of ABI data structures for s390 and s390x:
   On s390 and s390x the size of struct ucontext and jmp_buf was increased in
diff --git a/malloc/malloc.c b/malloc/malloc.c
index 6ee38401dd7..6cbe9f32f89 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr;
         BK->fd = FD;							      \
         if (!in_smallbin_range (P->size)				      \
             && __builtin_expect (P->fd_nextsize != NULL, 0)) {		      \
-            assert (P->fd_nextsize->bk_nextsize == P);			      \
-            assert (P->bk_nextsize->fd_nextsize == P);			      \
+	    if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0)	      \
+		|| __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0))    \
+	      malloc_printerr (check_action,				      \
+			       "corrupted double-linked list (not small)", P);\
             if (FD->fd_nextsize == NULL) {				      \
                 if (P->fd_nextsize == P)				      \
                   FD->fd_nextsize = FD->bk_nextsize = FD;		      \