[Bug malloc/25945] ASLR information leak via Safe-Linking and tcache or fastbin chunks.

["wangxuszcn at foxmail dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=25945

--- Comment #8 from wangxu <wangxuszcn at foxmail dot com> ---
Just like pointers returned from fastbin, smallbin, largebin.
(In reply to wangxu from comment #7)
> Thanks for patient reply.
> I'm considering whether there's a more blanket solution. Thanks again.
> 
> BTW, is it better to give a change to perturb pointers returned by
> tcache_get(), using alloc_perturb (p, bytes) ?
> 
> patches may be like this:
> 
> diff --git a/malloc/malloc.c b/malloc/malloc.c
> index e8abb4e..057e5ad 100644
> --- a/malloc/malloc.c
> +++ b/malloc/malloc.c
> @@ -3108,7 +3108,9 @@ __libc_malloc (size_t bytes)
>        && tcache
>        && tcache->counts[tc_idx] > 0)
>      {
> -      return tcache_get (tc_idx);
> +      void *p = tcache_get (tc_idx);
> +      alloc_perturb (p, bytes);
> +      return p;
>      }
>    DIAG_POP_NEEDS_COMMENT;
>  #endif
> @@ -3963,7 +3965,9 @@ _int_malloc (mstate av, size_t bytes)
>           && mp_.tcache_unsorted_limit > 0
>           && tcache_unsorted_count > mp_.tcache_unsorted_limit)
>         {
> -     return tcache_get (tc_idx);
> +   void *p = tcache_get (tc_idx);
> +   alloc_perturb (p, bytes);
> +   return p;
>         }
>  #endif
> 
> @@ -3976,7 +3980,9 @@ _int_malloc (mstate av, size_t bytes)
>        /* If all the small chunks we found ended up cached, return one now. 
> */
>        if (return_cached)
>         {
> -     return tcache_get (tc_idx);
> +   void *p = tcache_get (tc_idx);
> +   alloc_perturb (p, bytes);
> +   return p;
>         }

-- 
You are receiving this mail because:
You are on the CC list for the bug.