void-packages/srcpkgs/glibc/patches/glibc-upstream-18.patch

From 52b7cd6e9a701bb203023d56e84551943dc6a4c0 Mon Sep 17 00:00:00 2001
From: Adam Maris <amaris@redhat.com>
Date: Thu, 14 Mar 2019 16:51:16 -0400
Subject: [PATCH 18] malloc: Check for large bin list corruption when
 inserting unsorted chunk

Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers
of chunks in large bin when inserting chunk from unsorted bin. It was possible
to write the pointer to victim (newly inserted chunk) to arbitrary memory
locations if bk or bk_nextsize pointers of the next large bin chunk
got corrupted.

(cherry picked from commit 5b06f538c5aee0389ed034f60d90a8884d6d54de)
---
 malloc/malloc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index feaf7ee0bf..ce771375b6 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)
                         {
                           victim->fd_nextsize = fwd;
                           victim->bk_nextsize = fwd->bk_nextsize;
+                          if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))
+                            malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");
                           fwd->bk_nextsize = victim;
                           victim->bk_nextsize->fd_nextsize = victim;
                         }
                       bck = fwd->bk;
+                      if (bck->fd != fwd)
+                        malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");
                     }
                 }
               else
glibc: update patches Signed-off-by: Jürgen Buchmüller <pullmoll@t-online.de> 2019-05-28 10:50:16 +00:00			`From 52b7cd6e9a701bb203023d56e84551943dc6a4c0 Mon Sep 17 00:00:00 2001`
			`From: Adam Maris <amaris@redhat.com>`
			`Date: Thu, 14 Mar 2019 16:51:16 -0400`
			`Subject: [PATCH 18] malloc: Check for large bin list corruption when`
			`inserting unsorted chunk`

			`Fixes bug 24216. This patch adds security checks for bk and bk_nextsize pointers`
			`of chunks in large bin when inserting chunk from unsorted bin. It was possible`
			`to write the pointer to victim (newly inserted chunk) to arbitrary memory`
			`locations if bk or bk_nextsize pointers of the next large bin chunk`
			`got corrupted.`

			`(cherry picked from commit 5b06f538c5aee0389ed034f60d90a8884d6d54de)`
			`---`
			`malloc/malloc.c \| 4 ++++`
			`1 file changed, 4 insertions(+)`

			`diff --git a/malloc/malloc.c b/malloc/malloc.c`
			`index feaf7ee0bf..ce771375b6 100644`
			`--- a/malloc/malloc.c`
			`+++ b/malloc/malloc.c`
			`@@ -3876,10 +3876,14 @@ _int_malloc (mstate av, size_t bytes)`
			`{`
			`victim->fd_nextsize = fwd;`
			`victim->bk_nextsize = fwd->bk_nextsize;`
			`+ if (__glibc_unlikely (fwd->bk_nextsize->fd_nextsize != fwd))`
			`+ malloc_printerr ("malloc(): largebin double linked list corrupted (nextsize)");`
			`fwd->bk_nextsize = victim;`
			`victim->bk_nextsize->fd_nextsize = victim;`
			`}`
			`bck = fwd->bk;`
			`+ if (bck->fd != fwd)`
			`+ malloc_printerr ("malloc(): largebin double linked list corrupted (bk)");`
			`}`
			`}`
			`else`