From d10176c0ffeadbc0bcd443741f53ebd85e70db44 Mon Sep 17 00:00:00 2001
From: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Date: Tue, 11 Feb 2025 14:29:51 -0500
Subject: [PATCH] malloc: Add size check when moving fastbin->tcache

By overwriting a forward link in a fastbin chunk that is subsequently
moved into the tcache, it's possible to get malloc to return an
arbitrary address [0].

When a chunk is fetched from a fastbin, its size is checked against the
expected chunk size for that fastbin (see malloc.c:3991). This patch
adds a similar check for chunks being moved from a fastbin to tcache,
which renders obsolete the exploitation technique described above.

Now updated to use __glibc_unlikely instead of __builtin_expect, as
requested.

[0]: https://github.com/shellphish/how2heap/blob/master/glibc_2.39/fastbin_reverse_into_tcache.c

Signed-off-by: Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---
 malloc/malloc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index 27dfd1eb90..dcac903e2a 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -4005,6 +4005,9 @@ _int_malloc (mstate av, size_t bytes)
 		    {
 		      if (__glibc_unlikely (misaligned_chunk (tc_victim)))
 			malloc_printerr ("malloc(): unaligned fastbin chunk detected 3");
+		      size_t victim_tc_idx = csize2tidx (chunksize (tc_victim));
+		      if (__glibc_unlikely (tc_idx != victim_tc_idx))
+			malloc_printerr ("malloc(): chunk size mismatch in fastbin");
 		      if (SINGLE_THREAD_P)
 			*fb = REVEAL_PTR (tc_victim->fd);
 		      else