summaryrefslogtreecommitdiffstats
path: root/patches/source/glibc/glibc-2.17_hardening.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/glibc/glibc-2.17_hardening.diff')
-rw-r--r--patches/source/glibc/glibc-2.17_hardening.diff33
1 files changed, 33 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_hardening.diff b/patches/source/glibc/glibc-2.17_hardening.diff
new file mode 100644
index 00000000..7c437874
--- /dev/null
+++ b/patches/source/glibc/glibc-2.17_hardening.diff
@@ -0,0 +1,33 @@
+From e92cd23a2bbc7d3e038187e6d35af03d307a1e43 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Tue, 21 Oct 2014
+Subject: Hardening patch
+
+As reported by the projectzero developer who designed the recent off-by-one
+glibc root exploit, extending glibc metadata hardening would have made
+exploitation much more difficult and potentially impossible.
+
+This fix for use on glibc 2.17 is based on the following upstream
+commit:
+
+https://sourceware.org/git/?p=glibc.git;h=52ffbdf25a11
+
+---
+ malloc/malloc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -1435,8 +1435,10 @@ typedef struct malloc_chunk* mbinptr;
+ BK->fd = FD; \
+ if (!in_smallbin_range (P->size) \
+ && __builtin_expect (P->fd_nextsize != NULL, 0)) { \
+- assert (P->fd_nextsize->bk_nextsize == P); \
+- assert (P->bk_nextsize->fd_nextsize == P); \
++ if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \
++ || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \
++ malloc_printerr (check_action, \
++ "corrupted double-linked list (not small)", P);\
+ if (FD->fd_nextsize == NULL) { \
+ if (P->fd_nextsize == P) \
+ FD->fd_nextsize = FD->bk_nextsize = FD; \