* [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
@ 2010-10-23 13:49 ` mtk.manpages at gmail dot com
2010-10-23 14:02 ` mtk.manpages at gmail dot com
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2010-10-23 13:49 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
--- Comment #1 from Michael Kerrisk <mtk.manpages at gmail dot com> 2010-10-23 13:49:26 UTC ---
Created attachment 5081
--> http://sourceware.org/bugzilla/attachment.cgi?id=5081
test program
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
2010-10-23 13:49 ` [Bug libc/12155] " mtk.manpages at gmail dot com
@ 2010-10-23 14:02 ` mtk.manpages at gmail dot com
2010-10-23 14:54 ` drepper.fsp at gmail dot com
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2010-10-23 14:02 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
--- Comment #2 from Michael Kerrisk <mtk.manpages at gmail dot com> 2010-10-23 14:02:05 UTC ---
Initial runs of test program as normal user. Grepping the strace output of the
second run shows that MALLOC_MMAP_THRESHOLD_ has an effect.
==
$ strace -o o ./t_M_MMAP_THRESHOLD -1 -1 0 1000 100000
$ grep brk o | wc; grep mmap o| wc
503 1509 26156
7 56 612
$ MALLOC_MMAP_THRESHOLD_=50000 strace -o o ./t_M_MMAP_THRESHOLD -1 -1 0 1000
100000
$ grep brk o | wc; grep mmap o| wc 3 9 156
1006 8048 89523
==
Now, run the program first as setuid-root, and then as setgid-root. In the
first case, MALLOC_MMAP_THRESHOLD_ has no effect, but in the second,
MALLOC_MMAP_THRESHOLD_ does have an effect.
==
$ sudo chown root:root t_M_MMAP_THRESHOLD
$ sudo chmod u+s,g-s t_M_MMAP_THRESHOLD
$ ls -l t_M_MMAP_THRESHOLD
-rwsr-xr-x 1 root root 10126 Oct 23 15:32 t_M_MMAP_THRESHOLD
$ MALLOC_MMAP_THRESHOLD_=50000 strace -o o ./t_M_MMAP_THRESHOLD -1 -1 0 1000
100000
$ grep brk o | wc; grep mmap o| wc
503 1509 26156
7 56 612
$ sudo chmod u-s,g+s t_M_MMAP_THRESHOLD
$ ls -l t_M_MMAP_THRESHOLD
-rwxr-sr-x 1 root root 10126 Oct 23 15:32 t_M_MMAP_THRESHOLD
$ MALLOC_MMAP_THRESHOLD_=50000 strace -o o ./t_M_MMAP_THRESHOLD -1 -1 0 1000
100000
$ grep brk o | wc; grep mmap o| wc
3 9 156
1006 8048 89523
==
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
2010-10-23 13:49 ` [Bug libc/12155] " mtk.manpages at gmail dot com
2010-10-23 14:02 ` mtk.manpages at gmail dot com
@ 2010-10-23 14:54 ` drepper.fsp at gmail dot com
2010-10-24 7:11 ` mtk.manpages at gmail dot com
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: drepper.fsp at gmail dot com @ 2010-10-23 14:54 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
--- Comment #3 from Ulrich Drepper <drepper.fsp at gmail dot com> 2010-10-23 14:54:04 UTC ---
And what is the issue? Don't you have anything better to do than complain
about completely irrelevant things?
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (2 preceding siblings ...)
2010-10-23 14:54 ` drepper.fsp at gmail dot com
@ 2010-10-24 7:11 ` mtk.manpages at gmail dot com
2011-07-30 16:29 ` [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs eerott at gmail dot com
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2010-10-24 7:11 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
--- Comment #4 from Michael Kerrisk <mtk.manpages at gmail dot com> 2010-10-24 05:19:17 UTC ---
(In reply to comment #3)
> And what is the issue? Don't you have anything better to do than complain
> about completely irrelevant things?
This is not a complaint. It's a bug report. Do you really have no better mode
of response than this?
The issue is twofold:
1. Consistency: in almost all cases, the MALLOC_*_ environment variables are
ignored in setuid and setgid programs. The inconsistency noted in this report
could lead to unexpected behavior (bugs).
2. Security: if the MALLOC_*_ environment variables are disabled for security
reasons, and in particular MALLOC_MMAP_*_ are disabled for setuid programs, the
security risk must be similar for setgid programs. In other words, either
a) there is a security problem and these variables should be disabled for both
setuid and setgid programs, or
b) there is no security problem and they should be enabled for both setuid and
setgid programs.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (3 preceding siblings ...)
2010-10-24 7:11 ` mtk.manpages at gmail dot com
@ 2011-07-30 16:29 ` eerott at gmail dot com
2012-02-21 1:55 ` [Bug malloc/12155] " jsm28 at gcc dot gnu.org
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: eerott at gmail dot com @ 2011-07-30 16:29 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
Eero Tamminen <eerott at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |eerott at gmail dot com
Summary|MALLOC_MMAP_THRESHOLD_ and |MALLOC_MMAP_THRESHOLD_ and
|MALLOC_MMAP_MAX_ (wrongly) |MALLOC_MMAP_MAX_ have
|have effect in setgid |different effect for setgid
|programs |than for setuid programs
--- Comment #5 from Eero Tamminen <eerott at gmail dot com> 2011-07-30 16:28:43 UTC ---
After quick glimpse at the (v2.11) malloc.c, the effect of these variables is:
* MALLOC_MMAP_MAX_ : how many simultenous mmap() requests glibc allocator can
do before falling back to heap (or asserting?)
* MALLOC_MMAP_THRESHOLD_ : which sized allocs will use mmap() instead of heap
I.e. these affect only to what size program's heap may grow and how many
mmap()s the program causes with its allocations.
The threshold value can be only between 4KB and:
--------
#ifndef DEFAULT_MMAP_THRESHOLD_MAX
/* For 32-bit platforms we cannot increase the maximum mmap
threshold much because it is also the minimum value for the
maximum heap size and its alignment. Going above 512k (i.e., 1M
for new heaps) wastes too much address space. */
# if __WORDSIZE == 32
# define DEFAULT_MMAP_THRESHOLD_MAX (512 * 1024)
# else
# define DEFAULT_MMAP_THRESHOLD_MAX (4 * 1024 * 1024 * sizeof(long))
# endif
#endif
--------
Only issue that I could think with these is that program can use a lot more
memory and/or be slower. If it does enough allocs and mmap threshold is set to
4kB, app might crash due to running out of address space, but I think that's
all. But if user is able to run the program to set its environment variables,
he's able to kill it directly too. And slowdown can be gotten by running other
programs.
With this one may be able to trigger allocation failure earlier. If program
doesn't handle allocation failures properly (AFAIK e.g. Glib & Qt by default
abort on them), its memory may get corrupted. However, you can get this
simpler just by lowering resource limits lower before running the program.
As a conclusion, I don't see this as a security issue, but consistency one.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (4 preceding siblings ...)
2011-07-30 16:29 ` [Bug libc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs eerott at gmail dot com
@ 2012-02-21 1:55 ` jsm28 at gcc dot gnu.org
2012-12-19 10:48 ` schwab@linux-m68k.org
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-02-21 1:55 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |malloc
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (5 preceding siblings ...)
2012-02-21 1:55 ` [Bug malloc/12155] " jsm28 at gcc dot gnu.org
@ 2012-12-19 10:48 ` schwab@linux-m68k.org
2013-10-31 14:42 ` neleai at seznam dot cz
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: schwab@linux-m68k.org @ 2012-12-19 10:48 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=12155
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|drepper.fsp at gmail dot |unassigned at sourceware
|com |dot org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (6 preceding siblings ...)
2012-12-19 10:48 ` schwab@linux-m68k.org
@ 2013-10-31 14:42 ` neleai at seznam dot cz
2014-06-30 7:22 ` fweimer at redhat dot com
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: neleai at seznam dot cz @ 2013-10-31 14:42 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12155
Ondrej Bilka <neleai at seznam dot cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |neleai at seznam dot cz
--- Comment #6 from Ondrej Bilka <neleai at seznam dot cz> ---
Weird as these variables are handled by malloc/arena.c:
if (! __builtin_expect (__libc_enable_secure, 0))
{
if (memcmp (envline, "TRIM_THRESHOLD_", 15) == 0)
__libc_mallopt(M_TRIM_THRESHOLD, atoi(&envline[16]));
else if (memcmp (envline, "MMAP_THRESHOLD_", 15) == 0)
__libc_mallopt(M_MMAP_THRESHOLD, atoi(&envline[16]));
}
and __libc_enable_secure is defined as
if (__libc_enable_secure_decided == 0)
__libc_enable_secure = (__geteuid () != __getuid ()
|| __getegid () != __getgid ());
A simple program shows that this is enabled in both cases.
extern int __libc_enable_secure;
int main ()
{
printf ("%i %i %i %i", getuid(), geteuid(), getgid(), getegid());
printf (" %i", __libc_enable_secure);
}
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (7 preceding siblings ...)
2013-10-31 14:42 ` neleai at seznam dot cz
@ 2014-06-30 7:22 ` fweimer at redhat dot com
2014-06-30 8:32 ` mtk.manpages at gmail dot com
2014-06-30 8:33 ` mtk.manpages at gmail dot com
10 siblings, 0 replies; 12+ messages in thread
From: fweimer at redhat dot com @ 2014-06-30 7:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12155
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |WAITING
CC| |fweimer at redhat dot com
--- Comment #7 from Florian Weimer <fweimer at redhat dot com> ---
The strace invocation looks suspicious. Ptracing a process will inhibit the
SUID/SGID transition, particularly if run as an unprivileged user, as the $
prompt suggests. Michael, are you sure you are running strace in the right
way?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (8 preceding siblings ...)
2014-06-30 7:22 ` fweimer at redhat dot com
@ 2014-06-30 8:32 ` mtk.manpages at gmail dot com
2014-06-30 8:33 ` mtk.manpages at gmail dot com
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2014-06-30 8:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12155
--- Comment #8 from Michael Kerrisk <mtk.manpages at gmail dot com> ---
(In reply to Florian Weimer from comment #7)
> The strace invocation looks suspicious. Ptracing a process will inhibit the
> SUID/SGID transition, particularly if run as an unprivileged user, as the $
> prompt suggests. Michael, are you sure you are running strace in the right
> way?
Ach! You're exactly right. I completely overlooked this strace(1) behavior.
Running my program under strace(1) the right way:
$ MALLOC_MMAP_THRESHOLD_=50000 sudo strace -u mtk -o o ./t_M_MMAP_THRESHOLD -1
-1 0 1000 100000
$ grep brk o | wc; grep mmap o| wc
1002 3006 52104
9 72 862
In other words, MALLOC_MMAP_THRESHOLD_ has no effect, as it should.
Thanks for educating me, Florian.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug malloc/12155] MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ have different effect for setgid than for setuid programs
2010-10-23 13:48 [Bug libc/12155] New: MALLOC_MMAP_THRESHOLD_ and MALLOC_MMAP_MAX_ (wrongly) have effect in setgid programs mtk.manpages at gmail dot com
` (9 preceding siblings ...)
2014-06-30 8:32 ` mtk.manpages at gmail dot com
@ 2014-06-30 8:33 ` mtk.manpages at gmail dot com
10 siblings, 0 replies; 12+ messages in thread
From: mtk.manpages at gmail dot com @ 2014-06-30 8:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=12155
Michael Kerrisk <mtk.manpages at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|WAITING |RESOLVED
Resolution|--- |INVALID
--- Comment #9 from Michael Kerrisk <mtk.manpages at gmail dot com> ---
As realized by Florian, my testing was bogus. Move along folks, there's no bug
to see here.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread