malloc: additional unlink hardening for non-small bins [BZ #17344]

Turn two asserts into a conditional call to malloc_printerr. The memory locations are accessed later anyway, so the performance impact is minor.
2014-09-10 20:29:15 +02:00 · 2014-09-10 20:29:15 +02:00 · 52ffbdf25a
parent 984c0ea97f
commit 52ffbdf25a
3 changed files with 11 additions and 3 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2014-09-11  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #17344]
+	* malloc/malloc.c (unlink): Turn asserts into a call to
+	malloc_printerr.
+
 2014-09-11  Tim Lammens  <tim.lammens@gmail.com>

 	[BZ #17370]
--- a/2
+++ b/2
@ -29,7 +29,7 @@ Version 2.20
  16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
  17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
  17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
-  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354.
+  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17344, 17354.

 * Reverted change of ABI data structures for s390 and s390x:
  On s390 and s390x the size of struct ucontext and jmp_buf was increased in
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr;
        BK->fd = FD;							      \
        if (!in_smallbin_range (P->size)				      \
            && __builtin_expect (P->fd_nextsize != NULL, 0)) {		      \
-            assert (P->fd_nextsize->bk_nextsize == P);			      \
-            assert (P->bk_nextsize->fd_nextsize == P);			      \
+	    if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0)	      \
+		|| __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0))    \
+	      malloc_printerr (check_action,				      \
+			       "corrupted double-linked list (not small)", P);\
            if (FD->fd_nextsize == NULL) {				      \
                if (P->fd_nextsize == P)				      \
                  FD->fd_nextsize = FD->bk_nextsize = FD;		      \