diff options
Diffstat (limited to 'patches/source/glibc/glibc-2.17_hardening.diff')
| -rw-r--r-- | patches/source/glibc/glibc-2.17_hardening.diff | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_hardening.diff b/patches/source/glibc/glibc-2.17_hardening.diff new file mode 100644 index 000000000..7c437874e --- /dev/null +++ b/patches/source/glibc/glibc-2.17_hardening.diff @@ -0,0 +1,33 @@ +From e92cd23a2bbc7d3e038187e6d35af03d307a1e43 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1 AT zoho DOT com> +Date: Tue, 21 Oct 2014 +Subject: Hardening patch + +As reported by the projectzero developer who designed the recent off-by-one +glibc root exploit, extending glibc metadata hardening would have made +exploitation much more difficult and potentially impossible. + +This fix for use on glibc 2.17 is based on the following upstream +commit: + +https://sourceware.org/git/?p=glibc.git;h=52ffbdf25a11 + +--- + malloc/malloc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -1435,8 +1435,10 @@ typedef struct malloc_chunk* mbinptr; + BK->fd = FD; \ + if (!in_smallbin_range (P->size) \ + && __builtin_expect (P->fd_nextsize != NULL, 0)) { \ +- assert (P->fd_nextsize->bk_nextsize == P); \ +- assert (P->bk_nextsize->fd_nextsize == P); \ ++ if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \ ++ || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \ ++ malloc_printerr (check_action, \ ++ "corrupted double-linked list (not small)", P);\ + if (FD->fd_nextsize == NULL) { \ + if (P->fd_nextsize == P) \ + FD->fd_nextsize = FD->bk_nextsize = FD; \ |