From 52ffbdf25a1100986f4ae27bb0febbe5a722ab25 Mon Sep 17 00:00:00 2001 From: Florian Weimer <fweimer@redhat.com> Date: Wed, 10 Sep 2014 20:29:15 +0200 Subject: [PATCH] malloc: additional unlink hardening for non-small bins [BZ #17344] Turn two asserts into a conditional call to malloc_printerr. The memory locations are accessed later anyway, so the performance impact is minor. --- ChangeLog | 6 ++++++ NEWS | 2 +- malloc/malloc.c | 6 ++++-- 3 files changed, 11 insertions(+), 3 deletions(-) #diff --git a/ChangeLog b/ChangeLog #index 0377062..71c9671 100644 #--- a/ChangeLog #+++ b/ChangeLog #@@ -1,3 +1,9 @@ #+2014-09-11 Florian Weimer <fweimer@redhat.com> #+ #+ [BZ #17344] #+ * malloc/malloc.c (unlink): Turn asserts into a call to #+ malloc_printerr. #+ # 2014-09-11 Tim Lammens <tim.lammens@gmail.com> # # [BZ #17370] #diff --git a/NEWS b/NEWS #index c607d12..680c265 100644 #--- a/NEWS #+++ b/NEWS #@@ -29,7 +29,7 @@ Version 2.20 # 16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031, # 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079, # 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153, #- 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354. #+ 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17344, 17354. # # * Reverted change of ABI data structures for s390 and s390x: # On s390 and s390x the size of struct ucontext and jmp_buf was increased in diff --git a/malloc/malloc.c b/malloc/malloc.c index 6ee3840..6cbe9f3 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr; BK->fd = FD; \ if (!in_smallbin_range (P->size) \ && __builtin_expect (P->fd_nextsize != NULL, 0)) { \ - assert (P->fd_nextsize->bk_nextsize == P); \ - assert (P->bk_nextsize->fd_nextsize == P); \ + if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0) \ + || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0)) \ + malloc_printerr (check_action, \ + "corrupted double-linked list (not small)", P);\ if (FD->fd_nextsize == NULL) { \ if (P->fd_nextsize == P) \ FD->fd_nextsize = FD->bk_nextsize = FD; \ -- 2.1.0