This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH v2 0/7] Additional integrity checks for the malloc
- From: Istvan Kurucsai <pistukem at gmail dot com>
- To: libc-alpha at sourceware dot org
- Cc: Istvan Kurucsai <pistukem at gmail dot com>
- Date: Tue, 7 Nov 2017 16:27:03 +0100
- Subject: [PATCH v2 0/7] Additional integrity checks for the malloc
- Authentication-results: sourceware.org; auth=none
This is an actualized version of a patch set I submitted previously [8].
The patch set tries to improve on the current integrity checks in malloc. The
goal was to eliminate known exploitation techniques with the simplest possible
changes.
The tests passed but I did no profiling. The performance impact of the mmap
related parts shouldn't be noticeable, the others I'm not sure about. I already
did copyright assignment.
A quick overview of the individual patches:
(1/7) An attempt at hardening the `use_top` part of malloc against corruption
and pivoting of the top chunk, known as the House of Force [1]. The possibility
of extending the top chunk from an mmapped arena into another remains. Note
that this is almost identical to a recently submitted patch [9].
(2/7) The binning code in malloc is rather attacker-friendly [2][3]. Change
this by enforcing as many invariants as possible on chunks from the unsorted
bin.
(3/7) `malloc_consolidate` contains no integrity checks beside the ones in
`unlink`. This can be abused by an attacker in a couple of ways [4]. The patch
limits the possibilities significantly.
(4/7) Fix an unsigned underflow and subsequent wild memcpy that can be
triggered by a corrupted chunk size in `__libc_realloc` [5].
(5/7) By corrupting the `IS_MMAPPED` bit of a free chunk, an attacker can force
calloc to return an uninitialized chunk [6]. The patch adds checks to the
`IS_MMAPPED` path in calloc, even though the protection is not complete.
(6/7), (7/7): Additional checks around the unmapping and remapping of chunks,
which are abusable in different ways [7]. Also feels somewhat incomplete but
still an improvement.
[1]: https://github.com/shellphish/how2heap/blob/master/house_of_force.c
[2]: https://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf
[3]: https://github.com/shellphish/how2heap/blob/master/unsorted_bin_attack.c
[4]: http://tukan.farm/2016/09/04/fastbin-fever/
[5]: http://tukan.farm/2016/11/03/once-upon-a-realloc/
[6]: http://tukan.farm/2016/10/14/scraps-of-notes/
[7]: http://tukan.farm/2016/07/27/munmap-madness/
[8]: https://sourceware.org/ml/libc-alpha/2017-05/msg00899.html
[9]: https://sourceware.org/ml/libc-alpha/2017-10/msg01202.html
Istvan Kurucsai (7):
malloc: Add check for top size corruption.
malloc: Additional checks for unsorted bin integrity I.
malloc: Ensure that the consolidated fast chunk has a sane size.
malloc: Ensure lower bound on chunk size in __libc_realloc.
malloc: Verify the integrity of mmapped chunks in calloc.
malloc: Add more integrity checks to mremap_chunk.
malloc: Check the alignment of mmapped chunks before unmapping.
malloc/malloc.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 50 insertions(+), 10 deletions(-)
--
2.7.4