Security Checks
This presents a summary of the security checks introduced in glibc's implementation to detect and prevent heap related attacks.
Function
Security Check
Error
unlink
Whether chunk size is equal to the previous size set in the next chunk (in memory)
corrupted size vs. prev_size
unlink
Whether P->fd->bk == P
and P->bk->fd == P
*
corrupted double-linked list
_int_malloc
While removing the first chunk from fastbin (to service a malloc request), check whether the size of the chunk falls in fast chunk size range
malloc(): memory corruption (fast)
_int_malloc
While removing the last chunk (victim
) from a smallbin (to service a malloc request), check whether victim->bk->fd
and victim
are equal
malloc(): smallbin double linked list corrupted
_int_malloc
While iterating in unsorted bin, check whether size of current chunk is within minimum (2*SIZE_SZ
) and maximum (av->system_mem
) range
malloc(): memory corruption
_int_malloc
While inserting last remainder chunk into unsorted bin (after splitting a large chunk), check whether unsorted_chunks(av)->fd->bk == unsorted_chunks(av)
malloc(): corrupted unsorted chunks
_int_malloc
While inserting last remainder chunk into unsorted bin (after splitting a fast or a small chunk), check whether unsorted_chunks(av)->fd->bk == unsorted_chunks(av)
malloc(): corrupted unsorted chunks 2
_int_free
Check whether p
** is before p + chunksize(p)
in the memory (to avoid wrapping)
free(): invalid pointer
_int_free
Check whether the chunk is at least of size MINSIZE
or a multiple of MALLOC_ALIGNMENT
free(): invalid size
_int_free
For a chunk with size in fastbin range, check if next chunk's size is between minimum and maximum size (av->system_mem
)
free(): invalid next size (fast)
_int_free
While inserting fast chunk into fastbin (at HEAD
), check whether the chunk already at HEAD
is not the same
double free or corruption (fasttop)
_int_free
While inserting fast chunk into fastbin (at HEAD
), check whether size of the chunk at HEAD
is same as the chunk to be inserted
invalid fastbin entry (free)
_int_free
If the chunk is not within the size range of fastbin and neither it is a mmapped chunks, check whether it is not the same as the top chunk
double free or corruption (top)
_int_free
Check whether next chunk (by memory) is within the boundaries of the arena
double free or corruption (out)
_int_free
Check whether next chunk's (by memory) previous in use bit is marked
double free or corruption (!prev)
_int_free
Check whether size of next chunk is within the minimum and maximum size (av->system_mem
)
free(): invalid next size (normal)
_int_free
While inserting the coalesced chunk into unsorted bin, check whether unsorted_chunks(av)->fd->bk == unsorted_chunks(av)
free(): corrupted unsorted chunks
*: 'P' refers to the chunk being unlinked
**: 'p' refers to the chunk being freed
Last updated