From e92cd23a2bbc7d3e038187e6d35af03d307a1e43 Mon Sep 17 00:00:00 2001 From: mancha Date: Tue, 21 Oct 2014 Subject: Hardening patch As reported by the projectzero developer who designed the recent off-by-one glibc root exploit, extending glibc metadata hardening would have made exploitation much more difficult and potentially impossible. This fix for use on glibc 2.17 is based on the following upstream commit: https://sourceware.org/git/?p=glibc.git;h=52ffbdf25a11 --- malloc/malloc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -1435,8 +1435,10 @@ typedef struct malloc_chunk* mbinptr; BK->fd = FD; \ if (!in_smallbin_range (P->size) \ && __builtin_expect (P->fd_nextsize != NULL, 0)) { \ - assert (P->fd_nextsize->bk_nextsize == P); \ - assert (P->bk_nextsize->fd_nextsize == P); \ + if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \ + || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \ + malloc_printerr (check_action, \ + "corrupted double-linked list (not small)", P);\ if (FD->fd_nextsize == NULL) { \ if (P->fd_nextsize == P) \ FD->fd_nextsize = FD->bk_nextsize = FD; \