niansa-misc/glibc
1
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-03-06 20:58:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

malloc: Add integrity check to largebin nextsizes

Browse source 
If attacker overwrites the bk_nextsize link in the first chunk of a
largebin that later has a smaller chunk inserted into it, malloc will
write a heap pointer into an attacker-controlled address [0].

This patch adds an integrity check to mitigate this attack.

[0]: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/large_bin_attack.c

Signed-off-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Reviewed-by: DJ Delorie <dj@redhat.com>
This commit is contained in:
Ben Kallus 2025-02-14 00:34:54 -05:00 committed by DJ Delorie
parent 8c6fee9f7f
commit 4cf2d86936
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
malloc/malloc.c
View file

@ -4244,6 +4244,9 @@ _int_malloc (mstate av, size_t bytes)
fwd = bck;
bck = bck->bk;
if (__glibc_unlikely (fwd->fd->bk_nextsize->fd_nextsize != fwd->fd))
malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
victim->fd_nextsize = fwd->fd;
victim->bk_nextsize = fwd->fd->bk_nextsize;
fwd->fd->bk_nextsize = victim->bk_nextsize->fd_nextsize = victim;