Bug 1447556 - glibc: malloc: check for chunk_size == next->prev->chunk_size in unlink
Summary: glibc: malloc: check for chunk_size == next->prev->chunk_size in unlink
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: glibc
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: DJ Delorie
QA Contact: Sergey Kolosov
URL:
Whiteboard:
Depends On:
Blocks: 1473718
TreeView+ depends on / blocked
 
Reported: 2017-05-03 08:02 UTC by Florian Weimer
Modified: 2018-04-10 14:00 UTC (History)
7 users (show)

Fixed In Version: glibc-2.17-197.el7
Doc Type: Enhancement
Doc Text:
This patch adds an additional check for applications which change memory outside of the range allocated by malloc(), thus further hardening the malloc internals against both accidental and malicious overflows.
Clone Of:
Environment:
Last Closed: 2018-04-10 13:58:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1326739 unspecified CLOSED glibc: backport malloc hardening patch 2020-10-14 00:28:05 UTC
Red Hat Product Errata RHSA-2018:0805 None None None 2018-04-10 14:00:11 UTC

Internal Links: 1326739

Description Florian Weimer 2017-05-03 08:02:45 UTC
We should backport this additional upstream hardening:

commit 17f487b7afa7cd6c316040f3e6c86dc96b2eec30
Author: DJ Delorie <dj@delorie.com>
Date:   Fri Mar 17 15:31:38 2017 -0400

    Further harden glibc malloc metadata against 1-byte overflows.
    
    Additional check for chunk_size == next->prev->chunk_size in unlink()
    
    2017-03-17  Chris Evans  <scarybeasts@gmail.com>
    
            * malloc/malloc.c (unlink): Add consistency check between size and
            next->prev->size, to further harden against 1-byte overflows.

This is on top of the hardening in bug 1326739.

Comment 5 errata-xmlrpc 2018-04-10 13:58:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0805


Note You need to log in before you can comment on or make changes to this bug.