From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 2094 invoked from network); 16 Sep 2023 07:09:02 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 16 Sep 2023 07:09:02 -0000 Received: (qmail 22211 invoked by uid 550); 16 Sep 2023 07:08:58 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 22176 invoked from network); 16 Sep 2023 07:08:58 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694848126; x=1695452926; darn=lists.openwall.com; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=77/R7SvEhG6viMJj/fyY4bvIUTyq7k6E5+lME/nmAUk=; b=GLmat9LUFI1pWrumd7h1uBfrDcneg6vHp0aVk68hgrAvh50OAmqHihJx8K+h6gWpn+ zRVfvoJCwxgEAsXUHev9ZVy3FctpPvL7i2Bq5vbCEKh8gSf251bG6XCeXyJZ0rFNDXle jLMWc05hzIDbmDoyiNVJtppNmMPhHRsyV7gM6qU4ttUP/v/P974EVQfzdAcqoPFIBvx3 bFitr4USyEzGw8DvX6GN0GGddxvXaXCBg+phAmGD+kdeuR80y6qTQXGCY5KvhvrNdaoq 4OJpeljkfn6HPnVOoximJM3cQvIWAwKUd30iCgv3iy/maliMDYeK8bOsLaOg04GFT1+y /MuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694848126; x=1695452926; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=77/R7SvEhG6viMJj/fyY4bvIUTyq7k6E5+lME/nmAUk=; b=gz+92PTQ4gAMJiyfwaIO4ERXY+Oy6QhPuTh+JnmMDeUfNgBDftHWgxlK3NLCp9QFCQ 3O+eJonaCxV1Qy0hr6opiR6IZBoolDOD9sKZs/5l0jNTvE1VlcQvEFfxFn8IGlU+pL3U eszPtuiwPOIV/sh1g2op+yECRZqwjiY6ie+qAnJuLLDbBfPiqyKE+uYscJcYkAtrtghR oa78gV8sRMcVLvcGxMj+KIMA2v3gX+KXZp+B6YRMlY4HRYTO2c2N2JG2riIUKjr625jy Yx9iD+OMT+l/jGA8USXAFkNnER0udEH2W4kHYApknQ6cuTSVKSSyXrnhQMva8FmoWAtf H16Q== X-Gm-Message-State: AOJu0YxivB4krHTCPQC28FRwJaFPQW6B3brXTtyme9tfqHI4JGAuC91d dFGDORsKCx1+0TAhZhbhPeApKZ4AOqE= X-Google-Smtp-Source: AGHT+IGeKOchsswNfeHmUQih/rtDoo9bjx4BPdyDanmZR4rQt6t8lC4VmZT0U7vmkoshGJI2ZawwCA== X-Received: by 2002:a05:6808:4c2:b0:3a7:1278:1899 with SMTP id a2-20020a05680804c200b003a712781899mr4194234oie.15.1694848125972; Sat, 16 Sep 2023 00:08:45 -0700 (PDT) From: James Raphael Tiovalen To: musl@lists.openwall.com Cc: James Raphael Tiovalen Date: Sat, 16 Sep 2023 15:08:24 +0800 Message-ID: <20230916070824.124528-1-jamestiotio@gmail.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [musl] [PATCH v2] Add a safe dequeue integrity check for mallocng This commit adds an integrity check to allow for safer dequeuing of the out-of-band meta structs in mallocng. If the unlikely condition is true due to some sort of heap metadata corruption, we abort. This approach is similar to the safe unlinking check performed by glibc. While this check would not prevent more sophisticated attacks in more specific scenarios, as shown by the historical exploitation efforts on glibc, this check would prevent more basic heap metadata corruption attacks from being successfully executed. Having this check here would reduce the risk of pointer hijacking, mitigate the impact of attacker-controlled `prev` and `next` pointers that could be obtained via a vulnerable program, and restrict the tampering of other memory regions via arbitrary write primitives. --- v1 -> v2: Modify the check to an assert. --- src/malloc/mallocng/meta.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/malloc/mallocng/meta.h b/src/malloc/mallocng/meta.h index 61ec53f9..847598b5 100644 --- a/src/malloc/mallocng/meta.h +++ b/src/malloc/mallocng/meta.h @@ -90,6 +90,7 @@ static inline void queue(struct meta **phead, struct meta *m) static inline void dequeue(struct meta **phead, struct meta *m) { if (m->next != m) { + assert(m->prev->next == m && m->next->prev == m); m->prev->next = m->next; m->next->prev = m->prev; if (*phead == m) *phead = m->next; -- 2.42.0