From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 28502 invoked from network); 8 Sep 2023 17:50:01 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 8 Sep 2023 17:50:01 -0000 Received: (qmail 7753 invoked by uid 550); 8 Sep 2023 17:49:58 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 7716 invoked from network); 8 Sep 2023 17:49:57 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694195386; x=1694800186; darn=lists.openwall.com; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=V0mu+u1xqs3j6RTJe4GIcjbBgpMoXAa7ZCkP4QA36XU=; b=GDI+UEwx5L/JwAk/JrSvz9AprCL0ypDeC1hCIrg/9BkoUH/fcCZ4FETkkHM3uOH1L/ GA7QUaBBtmdmbVgstJT59mpFAG41Pa9yFNhuiqBxSflGhBcvuxtHs0wt1XF27aVq6gYF 3w1dqzI6kiVof5XN0CfzdVDCIMxCx6jqSBe/FTuX4tSqDJtbQTocSKLyt1orPpFTZtSy pMw1ls9jKfx6a4zCKbmWB4i2CeXVU3pxBy3ukEOAtqi38g1W2eLokWLYdLjoC64aWn6t yGQqPwS9wythJBvWoUhm/TrZxIlsRnCuNFtOQyk9EWUYoW3K4wEJ7HV9sPuETUh7HVlE 1WiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694195386; x=1694800186; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=V0mu+u1xqs3j6RTJe4GIcjbBgpMoXAa7ZCkP4QA36XU=; b=fJRTNRGVFD8gGp2p806y357HQn65s8MKgGgTeKusDhNKGK0ACC8anG+2zWF8aHzY9Y 355o9fn/fLdaj9ndvF2jgmw+gfpSK/0ohoVZubnDlFAb87YeYbPQlXDCgKbSS8EgicJO t0f/EblSENSzMzWHVzXoQQjaSVcO5NlfMjDJi8LoddkbBNX9S2J+x74QqRMEenPUWHlE gjdsQoVjo5VUPr9oHfHI1aR+e1j6vtQqHQH+9fGmJB2IjLQRi/Oz3ZYnWA2ThjR6VjuY 2hd4IdiEMBjptMN5kG4T1wC/do+K7ybHvjYpWjVJMex8bcbB0muLBidkg6LbAzHUe0Ie qghQ== X-Gm-Message-State: AOJu0Yx8TfJXYyZghVR387DR2/InAwXOSYHO6n7X/i6vIPeuqQ3plInP ZwgNI7UpXj9s+mOp4Kp50R69qfWONpw= X-Google-Smtp-Source: AGHT+IEWuL4YMi8tCCZmJQ+I0EaSFraomilmni3ZwllyS4i64hJH/OnORkg3cYXrspgbhbdsF4SkHA== X-Received: by 2002:a05:6a21:329a:b0:134:70b7:2386 with SMTP id yt26-20020a056a21329a00b0013470b72386mr7598622pzb.9.1694195385616; Fri, 08 Sep 2023 10:49:45 -0700 (PDT) From: James Raphael Tiovalen To: musl@lists.openwall.com Cc: James Raphael Tiovalen Date: Sat, 9 Sep 2023 01:49:39 +0800 Message-ID: <20230908174939.80579-1-jamestiotio@gmail.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [musl] [PATCH] Add a safe dequeue integrity check for mallocng This commit adds an integrity check to allow for safer dequeuing of meta structs in mallocng. If the unlikely condition is true due to some sort of heap corruption, we print an error message and abort. This approach is similar to the safe unlinking check performed by glibc. While this check would not prevent more sophisticated attacks in more specific scenarios, as shown by the historical exploitation efforts on glibc, this check would prevent more basic heap corruption attacks from being successfully executed. --- src/malloc/mallocng/meta.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/malloc/mallocng/meta.h b/src/malloc/mallocng/meta.h index 61ec53f9..57946d01 100644 --- a/src/malloc/mallocng/meta.h +++ b/src/malloc/mallocng/meta.h @@ -2,9 +2,11 @@ #define MALLOC_META_H #include +#include #include #include #include "glue.h" +#include "libm.h" __attribute__((__visibility__("hidden"))) extern const uint16_t size_classes[]; @@ -90,6 +92,10 @@ static inline void queue(struct meta **phead, struct meta *m) static inline void dequeue(struct meta **phead, struct meta *m) { if (m->next != m) { + if (predict_false(m->prev->next != m || m->next->prev != m)) { + fprintf(stderr, "Corrupted doubly-linked meta list\n"); + abort(); + } m->prev->next = m->next; m->next->prev = m->prev; if (*phead == m) *phead = m->next; -- 2.42.0