You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a security issue in DeallocChunk, due to lack of bounds on size - just like in AllocChunk, size has to be >= snmalloc::MIN_CHUNK_SIZE. There is of course an assert for that in snmalloc, largebuddyrange.h, line 306:
There is a security issue in
DeallocChunk
, due to lack of bounds on size - just like in AllocChunk,size
has to be >= snmalloc::MIN_CHUNK_SIZE. There is of course an assert for that in snmalloc, largebuddyrange.h, line 306:I've built a simple POC which segfaults in release builds (probabilistically, not always):
And, this is the callstack (originates from
sandbox::MemoryServiceProvider::run()
):In debug builds, of course, we have an abort due to the assert:
POC (which could be simplified, of course):
@davidchisnall
The text was updated successfully, but these errors were encountered: