From e92cd23a2bbc7d3e038187e6d35af03d307a1e43 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Tue, 21 Oct 2014
Subject: Hardening patch

As reported by the projectzero developer who designed the recent off-by-one
glibc root exploit, extending glibc metadata hardening would have made
exploitation much more difficult and potentially impossible.

This fix for use on glibc 2.17 is based on the following upstream
commit:

https://sourceware.org/git/?p=glibc.git;h=52ffbdf25a11

---
 malloc/malloc.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -1435,8 +1435,10 @@ typedef struct malloc_chunk* mbinptr;
     BK->fd = FD;                                                       \
     if (!in_smallbin_range (P->size)				       \
 	&& __builtin_expect (P->fd_nextsize != NULL, 0)) {	       \
-      assert (P->fd_nextsize->bk_nextsize == P);		       \
-      assert (P->bk_nextsize->fd_nextsize == P);		       \
+      if (__builtin_expect (P->fd_nextsize->bk_nextsize != P, 0)       \
+          || __builtin_expect (P->bk_nextsize->fd_nextsize != P, 0))   \
+        malloc_printerr (check_action,				       \
+			"corrupted double-linked list (not small)", P);\
       if (FD->fd_nextsize == NULL) {				       \
 	if (P->fd_nextsize == P)				       \
 	  FD->fd_nextsize = FD->bk_nextsize = FD;		       \