public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "dj at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug malloc/25945] ASLR information leak via Safe-Linking and tcache or fastbin chunks. Date: Fri, 08 May 2020 19:18:21 +0000 [thread overview] Message-ID: <bug-25945-131-9oVxzLvOCK@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-25945-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=25945 dj at redhat dot com <dj at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dj at redhat dot com --- Comment #6 from dj at redhat dot com <dj at redhat dot com> --- In the grand scheme of things, the big question is, "what can an attacker learn that the attacker doesn't already know?" Memory returned by malloc() has ALWAYS had dirty data in it, and in our case, has always had some form of pointer in it. However, if you have the address of the memory itself, you already know the base address of the heap and the address of the data in each chunk. Since the Safe-Linking feature uses the address of the data as the "randomness", a malicious actor already has everything they need. Safe-Linking reduces the ease of using that information, and protects against accidental corruption, but our implementation in no way hides information. If we had used real random bits from the system, I would conclude differently. I have no objection to clearing internal data before giving memory to the application, but we must be careful about performance - we don't want to turn malloc into calloc, but clearing a few words that are likely already in cache should be fine. So do we want to clear such data systematically, such as the proposed patch? Or in bulk, in malloc() itself, for all chunks? Note also that these chunks do NOT protect against an attacker calling free() and using the free'd chunk to access the safe-linking data anyway. So IMHO this type of patch is a good idea if it protects against accidental corruption and/or helps us detect such cases (which is what Safe-Linking does), but if the goal is to protect against malice we should consider a more blanket solution, one which hides smallbin and largebin pointers as well. As for the proposed patch, LGTM otherwise ;-) -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2020-05-08 19:18 UTC|newest] Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-05-08 3:35 [Bug malloc/25945] New: memory block return by tcache_get() may contain anather valid memory block pointer, leading to memory leak wangxuszcn at foxmail dot com 2020-05-08 9:51 ` [Bug malloc/25945] " wangxuszcn at foxmail dot com 2020-05-08 12:48 ` [Bug malloc/25945] memory block return by tcache_get() may contain anather valid memory block pointer, leading to information disclosure wangxuszcn at foxmail dot com 2020-05-08 13:03 ` wangxuszcn at foxmail dot com 2020-05-08 16:19 ` carlos at redhat dot com 2020-05-08 16:20 ` [Bug malloc/25945] ASLR information leak via Safe-Linking and tcache or fastbin chunks carlos at redhat dot com 2020-05-08 16:20 ` fweimer at redhat dot com 2020-05-08 16:23 ` fweimer at redhat dot com 2020-05-08 16:44 ` carlos at redhat dot com 2020-05-08 19:18 ` dj at redhat dot com [this message] 2020-05-09 3:40 ` wangxuszcn at foxmail dot com 2020-05-09 3:45 ` wangxuszcn at foxmail dot com 2020-05-13 15:22 ` carlos at redhat dot com 2020-05-15 2:04 ` wangxuszcn at foxmail dot com 2020-05-15 6:44 ` wangxuszcn at foxmail dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-25945-131-9oVxzLvOCK@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).