31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
|
commit 30a17d8c95fbfb15c52d1115803b63aaa73a285c
|
||
|
|
Author: Pochang Chen <johnchen902@gmail.com>
|
||
|
|
Date: Thu Aug 16 15:24:24 2018 -0400
|
||
|
|
|
||
|
|
malloc: Verify size of top chunk.
|
||
|
|
|
||
|
|
The House of Force is a well-known technique to exploit heap
|
||
|
|
overflow. In essence, this exploit takes three steps:
|
||
|
|
1. Overwrite the size of top chunk with very large value (e.g. -1).
|
||
|
|
2. Request x bytes from top chunk. As the size of top chunk
|
||
|
|
is corrupted, x can be arbitrarily large and top chunk will
|
||
|
|
still be offset by x.
|
||
|
|
3. The next allocation from top chunk will thus be controllable.
|
||
|
|
|
||
|
|
If we verify the size of top chunk at step 2, we can stop such attack.
|
||
|
|
|
||
|
|
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
||
|
|
index e450597e2e527fb7..d8d4581a9dcea80a 100644
|
||
|
|
--- a/malloc/malloc.c
|
||
|
|
+++ b/malloc/malloc.c
|
||
|
|
@@ -4084,6 +4084,9 @@ _int_malloc (mstate av, size_t bytes)
|
||
|
|
victim = av->top;
|
||
|
|
size = chunksize (victim);
|
||
|
|
|
||
|
|
+ if (__glibc_unlikely (size > av->system_mem))
|
||
|
|
+ malloc_printerr ("malloc(): corrupted top size");
|
||
|
|
+
|
||
|
|
if ((unsigned long) (size) >= (unsigned long) (nb + MINSIZE))
|
||
|
|
{
|
||
|
|
remainder_size = size - nb;
|