From 49c3c37651e2d2ec4ff8ce21252bbbc08a9d6639 Mon Sep 17 00:00:00 2001
From: Eyal Itkin <eyalit@checkpoint.com>
Date: Tue, 31 Mar 2020 02:00:14 -0400
Subject: Fix alignment bug in Safe-Linking

Alignment checks should be performed on the user's buffer and NOT
on the mchunkptr as was done before. This caused bugs in 32 bit
versions, because: 2*sizeof(t) != MALLOC_ALIGNMENT.

As the tcache works on users' buffers it uses the aligned_OK()
check, and the rest work on mchunkptr and therefore check using
misaligned_chunk().

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 0e4acb22f6..6acb5ad43a 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2169,7 +2169,7 @@ do_check_malloc_state (mstate av)
 
       while (p != 0)
         {
-	  if (__glibc_unlikely (!aligned_OK (p)))
+	  if (__glibc_unlikely (misaligned_chunk (p)))
 	    malloc_printerr ("do_check_malloc_state(): "
 			     "unaligned fastbin chunk detected");
           /* each chunk claims to be inuse */
@@ -2949,11 +2949,11 @@ static __always_inline void *
 tcache_get (size_t tc_idx)
 {
   tcache_entry *e = tcache->entries[tc_idx];
+  if (__glibc_unlikely (!aligned_OK (e)))
+    malloc_printerr ("malloc(): unaligned tcache chunk detected");
   tcache->entries[tc_idx] = REVEAL_PTR (e->next);
   --(tcache->counts[tc_idx]);
   e->key = NULL;
-  if (__glibc_unlikely (!aligned_OK (e)))
-    malloc_printerr ("malloc(): unaligned tcache chunk detected");
   return (void *) e;
 }
 
@@ -3591,7 +3591,7 @@ _int_malloc (mstate av, size_t bytes)
       if (victim == NULL)				\
 	break;						\
       pp = REVEAL_PTR (victim->fd);                                     \
-      if (__glibc_unlikely (!aligned_OK (pp)))                          \
+      if (__glibc_unlikely (pp != NULL && misaligned_chunk (pp)))       \
 	malloc_printerr ("malloc(): unaligned fastbin chunk detected"); \
     }							\
   while ((pp = catomic_compare_and_exchange_val_acq (fb, pp, victim)) \
@@ -3606,8 +3606,8 @@ _int_malloc (mstate av, size_t bytes)
 
       if (victim != NULL)
 	{
-	  if (__glibc_unlikely (!aligned_OK (victim)))
-	    malloc_printerr ("malloc(): unaligned fastbin chunk detected");
+	  if (__glibc_unlikely (misaligned_chunk (victim)))
+	    malloc_printerr ("malloc(): unaligned fastbin chunk detected 2");
 
 	  if (SINGLE_THREAD_P)
 	    *fb = REVEAL_PTR (victim->fd);
@@ -3631,8 +3631,8 @@ _int_malloc (mstate av, size_t bytes)
 		  while (tcache->counts[tc_idx] < mp_.tcache_count
 			 && (tc_victim = *fb) != NULL)
 		    {
-		      if (__glibc_unlikely (!aligned_OK (tc_victim)))
-			malloc_printerr ("malloc(): unaligned fastbin chunk detected");
+		      if (__glibc_unlikely (misaligned_chunk (tc_victim)))
+			malloc_printerr ("malloc(): unaligned fastbin chunk detected 3");
 		      if (SINGLE_THREAD_P)
 			*fb = REVEAL_PTR (tc_victim->fd);
 		      else
@@ -4505,7 +4505,7 @@ static void malloc_consolidate(mstate av)
     if (p != 0) {
       do {
 	{
-	  if (__glibc_unlikely (!aligned_OK (p)))
+	  if (__glibc_unlikely (misaligned_chunk (p)))
 	    malloc_printerr ("malloc_consolidate(): "
 			     "unaligned fastbin chunk detected");
 
@@ -4937,7 +4937,7 @@ int_mallinfo (mstate av, struct mallinfo *m)
 	   p != 0;
 	   p = REVEAL_PTR (p->fd))
         {
-	  if (__glibc_unlikely (!aligned_OK (p)))
+	  if (__glibc_unlikely (misaligned_chunk (p)))
 	    malloc_printerr ("int_mallinfo(): "
 			     "unaligned fastbin chunk detected");
           ++nfastblocks;
@@ -5479,7 +5479,7 @@ __malloc_info (int options, FILE *fp)
 
 	      while (p != NULL)
 		{
-		  if (__glibc_unlikely (!aligned_OK (p)))
+		  if (__glibc_unlikely (misaligned_chunk (p)))
 		    malloc_printerr ("__malloc_info(): "
 				     "unaligned fastbin chunk detected");
 		  ++nthissize;