git.ipfire.org Git - thirdparty/glibc.git/commit

author	David Lau <david.lau@fau.de>
	Mon, 12 May 2025 11:42:17 +0000 (11:42 +0000)
committer	Wilco Dijkstra <wilco.dijkstra@arm.com>
	Mon, 12 May 2025 11:58:30 +0000 (11:58 +0000)
commit	eff1f680cffb005a5623d1c8a952d095b988d6a2
tree	21f1162e62b2c53086948327e9650f2b0bfc6b42	tree
parent	e83207c6e67f81b2db4def8149cd3697a0237f89	commit \| diff

malloc: Improved double free detection in the tcache

The previous double free detection did not account for an attacker to
use a terminating null byte overflowing from the previous
chunk to change the size of a memory chunk is being sorted into.
So that the check in 'tcache_double_free_verify' would pass
even though it is a double free.

Solution:
Let 'tcache_double_free_verify' iterate over all tcache entries to
detect double frees.

This patch only protects from buffer overflows by one byte.
But I would argue that off by one errors are the most common
errors to be made.

Alternatives Considered:
  Store the size of a memory chunk in big endian and thus
  the chunk size would not get overwritten because entries in the
  tcache are not that big.

  Move the tcache_key before the actual memory chunk so that it
  does not have to be checked at all, this would work better in general
  but also it would increase the memory usage.

Signed-off-by: David Lau <david.lau@fau.de>
Reviewed-by: Wilco Dijkstra <Wilco.Dijkstra@arm.com>

malloc/Makefile		diff \| blob \| blame \| history
malloc/malloc.c		diff \| blob \| blame \| history
malloc/tst-tcfree4.c	[new file with mode: 0644]	blob