From: DJ Delorie <dj@delorie.com>
Date: Fri, 17 Mar 2017 19:31:38 +0000 (-0400)
Subject: Further harden glibc malloc metadata against 1-byte overflows.
X-Git-Tag: glibc-2.26~690
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17f487b7afa7cd6c316040f3e6c86dc96b2eec30;p=thirdparty%2Fglibc.git

Further harden glibc malloc metadata against 1-byte overflows.

Additional check for chunk_size == next->prev->chunk_size in unlink()

2017-03-17  Chris Evans  <scarybeasts@gmail.com>

	* malloc/malloc.c (unlink): Add consistency check between size and
	next->prev->size, to further harden against 1-byte overflows.
---

diff --git a/ChangeLog b/ChangeLog
index 4bafcd183c2..7d5bc5d71e4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-03-17  Chris Evans  <scarybeasts@gmail.com>
+
+	* malloc/malloc.c (unlink): Add consistency check between size and
+	next->prev->size, to further harden against 1-byte overflows.
+
 2017-03-17  H.J. Lu  <hongjiu.lu@intel.com>
 
 	* sysdeps/x86/cpu-features.c (init_cpu_features): Check AVX with
diff --git a/malloc/malloc.c b/malloc/malloc.c
index e29105c3721..994a23248e2 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1376,6 +1376,8 @@ typedef struct malloc_chunk *mbinptr;
 
 /* Take a chunk off a bin list */
 #define unlink(AV, P, BK, FD) {                                            \
+    if (__builtin_expect (chunksize(P) != prev_size (next_chunk(P)), 0))      \
+      malloc_printerr (check_action, "corrupted size vs. prev_size", P, AV);  \
     FD = P->fd;								      \
     BK = P->bk;								      \
     if (__builtin_expect (FD->bk != P || BK->fd != P, 0))		      \