48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From 510a25f2d208e3b0c86f54b053f61c5b647e4b9b Mon Sep 17 00:00:00 2001
|
|
From: Pochang Chen <johnchen902@gmail.com>
|
|
Date: Thu, 16 Aug 2018 15:24:24 -0400
|
|
Subject: [PATCH 38] malloc: Verify size of top chunk.
|
|
|
|
The House of Force is a well-known technique to exploit heap
|
|
overflow. In essence, this exploit takes three steps:
|
|
1. Overwrite the size of top chunk with very large value (e.g. -1).
|
|
2. Request x bytes from top chunk. As the size of top chunk
|
|
is corrupted, x can be arbitrarily large and top chunk will
|
|
still be offset by x.
|
|
3. The next allocation from top chunk will thus be controllable.
|
|
|
|
If we verify the size of top chunk at step 2, we can stop such attack.
|
|
|
|
(cherry picked from commit 30a17d8c95fbfb15c52d1115803b63aaa73a285c)
|
|
---
|
|
ChangeLog | 4 ++++
|
|
malloc/malloc.c | 3 +++
|
|
2 files changed, 7 insertions(+)
|
|
|
|
diff --git a/ChangeLog b/ChangeLog
|
|
index 88814e6947..44795b2e61 100644
|
|
--- a/ChangeLog
|
|
+++ b/ChangeLog
|
|
@@ -1,3 +1,7 @@
|
|
+2018-08-16 Pochang Chen <johnchen902@gmail.com>
|
|
+
|
|
+ * malloc/malloc.c (_int_malloc.c): Verify size of top chunk.
|
|
+
|
|
2018-08-13 Joseph Myers <joseph@codesourcery.com>
|
|
|
|
* sysdeps/unix/sysv/linux/syscall-names.list: Update kernel
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
|
index e247c77b7d..9431108626 100644
|
|
--- a/malloc/malloc.c
|
|
+++ b/malloc/malloc.c
|
|
@@ -4076,6 +4076,9 @@ _int_malloc (mstate av, size_t bytes)
|
|
victim = av->top;
|
|
size = chunksize (victim);
|
|
|
|
+ if (__glibc_unlikely (size > av->system_mem))
|
|
+ malloc_printerr ("malloc(): corrupted top size");
|
|
+
|
|
if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
|
|
{
|
|
remainder_size = size - nb;
|
|
|