Security Checks

This presents a summary of the security checks introduced in glibc's implementation to detect and prevent heap related attacks.

Function

Security Check

Error

unlink

Whether chunk size is equal to the previous size set in the next chunk (in memory)

corrupted size vs. prev_size

unlink

Whether P->fd->bk == P and P->bk->fd == P*

corrupted double-linked list

_int_malloc

While removing the first chunk from fastbin (to service a malloc request), check whether the size of the chunk falls in fast chunk size range

malloc(): memory corruption (fast)

_int_malloc

While removing the last chunk (victim) from a smallbin (to service a malloc request), check whether victim->bk->fd and victim are equal

malloc(): smallbin double linked list corrupted

_int_malloc

While iterating in unsorted bin, check whether size of current chunk is within minimum (2*SIZE_SZ) and maximum (av->system_mem) range

malloc(): memory corruption

_int_malloc

While inserting last remainder chunk into unsorted bin (after splitting a large chunk), check whether unsorted_chunks(av)->fd->bk == unsorted_chunks(av)

malloc(): corrupted unsorted chunks

_int_malloc

While inserting last remainder chunk into unsorted bin (after splitting a fast or a small chunk), check whether unsorted_chunks(av)->fd->bk == unsorted_chunks(av)

malloc(): corrupted unsorted chunks 2

_int_free

Check whether p** is before p + chunksize(p) in the memory (to avoid wrapping)

free(): invalid pointer

_int_free

Check whether the chunk is at least of size MINSIZE or a multiple of MALLOC_ALIGNMENT

free(): invalid size

_int_free

For a chunk with size in fastbin range, check if next chunk's size is between minimum and maximum size (av->system_mem)

free(): invalid next size (fast)

_int_free

While inserting fast chunk into fastbin (at HEAD), check whether the chunk already at HEAD is not the same

double free or corruption (fasttop)

_int_free

While inserting fast chunk into fastbin (at HEAD), check whether size of the chunk at HEAD is same as the chunk to be inserted

invalid fastbin entry (free)

_int_free

If the chunk is not within the size range of fastbin and neither it is a mmapped chunks, check whether it is not the same as the top chunk

double free or corruption (top)

_int_free

Check whether next chunk (by memory) is within the boundaries of the arena

double free or corruption (out)

_int_free

Check whether next chunk's (by memory) previous in use bit is marked

double free or corruption (!prev)

_int_free

Check whether size of next chunk is within the minimum and maximum size (av->system_mem)

free(): invalid next size (normal)

_int_free

While inserting the coalesced chunk into unsorted bin, check whether unsorted_chunks(av)->fd->bk == unsorted_chunks(av)

free(): corrupted unsorted chunks

*: 'P' refers to the chunk being unlinked

**: 'p' refers to the chunk being freed