malloc: additional unlink hardening for non-small bins [BZ #17344]

Turn two asserts into a conditional call to malloc_printerr. The memory locations are accessed later anyway, so the performance impact is minor.
git-mirror · Sep 11, 2014 · 52ffbdf · 52ffbdf
1 parent 984c0ea
commit 52ffbdf
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+2014-09-11  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #17344]
+	* malloc/malloc.c (unlink): Turn asserts into a call to
+	malloc_printerr.
+
 2014-09-11  Tim Lammens  <tim.lammens@gmail.com>
 
 	[BZ #17370]

diff --git a/NEWS b/NEWS
@@ -29,7 +29,7 @@ Version 2.20
   16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
   17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
   17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
-  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354.
+  17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17344, 17354.
 
 * Reverted change of ABI data structures for s390 and s390x:
   On s390 and s390x the size of struct ucontext and jmp_buf was increased in

diff --git a/malloc/malloc.c b/malloc/malloc.c
@@ -1418,8 +1418,10 @@ typedef struct malloc_chunk *mbinptr;
         BK->fd = FD;							      \
         if (!in_smallbin_range (P->size)				      \
             && __builtin_expect (P->fd_nextsize != NULL, 0)) {		      \
-            assert (P->fd_nextsize->bk_nextsize == P);			      \
-            assert (P->bk_nextsize->fd_nextsize == P);			      \
+	    if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0)	      \
+		|| __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0))    \
+	      malloc_printerr (check_action,				      \
+			       "corrupted double-linked list (not small)", P);\
             if (FD->fd_nextsize == NULL) {				      \
                 if (P->fd_nextsize == P)				      \
                   FD->fd_nextsize = FD->bk_nextsize = FD;		      \