Further harden glibc malloc metadata against 1-byte overflows.

Additional check for chunk_size == next->prev->chunk_size in unlink()

2017-03-17  Chris Evans  <scarybeasts@gmail.com>

	* malloc/malloc.c (unlink): Add consistency check between size and
	next->prev->size, to further harden against 1-byte overflows.

diff --git a/ChangeLog b/ChangeLog
index 4bafcd183c25140c1126b44f49710487df7df130..7d5bc5d71e4d92137f7e7c83a685f6fc89560070 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-17  Chris Evans  <scarybeasts@gmail.com>
+
+       * malloc/malloc.c (unlink): Add consistency check between size and
+       next->prev->size, to further harden against 1-byte overflows.
+
 2017-03-17  H.J. Lu  <hongjiu.lu@intel.com>
 
        * sysdeps/x86/cpu-features.c (init_cpu_features): Check AVX with

diff --git a/malloc/malloc.c b/malloc/malloc.c
index e29105c37211076679a44594e2cdfb501553c606..994a23248e258501979138f3b07785045a60e69f 100644 (file)
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1376,6 +1376,8 @@ typedef struct malloc_chunk *mbinptr;
 
 /* Take a chunk off a bin list */
 #define unlink(AV, P, BK, FD) {                                            \
+    if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0))      \
+      malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV);  \
     FD = P->fd;                                                                      \
     BK = P->bk;                                                                      \
     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))                    \