public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "dj at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/25945] ASLR information leak via Safe-Linking and tcache or fastbin chunks.
Date: Fri, 08 May 2020 19:18:21 +0000 [thread overview]
Message-ID: <bug-25945-131-9oVxzLvOCK@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-25945-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=25945
dj at redhat dot com <dj at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dj at redhat dot com
--- Comment #6 from dj at redhat dot com <dj at redhat dot com> ---
In the grand scheme of things, the big question is, "what can an attacker learn
that the attacker doesn't already know?" Memory returned by malloc() has
ALWAYS had dirty data in it, and in our case, has always had some form of
pointer in it. However, if you have the address of the memory itself, you
already know the base address of the heap and the address of the data in each
chunk. Since the Safe-Linking feature uses the address of the data as the
"randomness", a malicious actor already has everything they need. Safe-Linking
reduces the ease of using that information, and protects against accidental
corruption, but our implementation in no way hides information. If we had used
real random bits from the system, I would conclude differently.
I have no objection to clearing internal data before giving memory to the
application, but we must be careful about performance - we don't want to turn
malloc into calloc, but clearing a few words that are likely already in cache
should be fine. So do we want to clear such data systematically, such as the
proposed patch? Or in bulk, in malloc() itself, for all chunks?
Note also that these chunks do NOT protect against an attacker calling free()
and using the free'd chunk to access the safe-linking data anyway.
So IMHO this type of patch is a good idea if it protects against accidental
corruption and/or helps us detect such cases (which is what Safe-Linking does),
but if the goal is to protect against malice we should consider a more blanket
solution, one which hides smallbin and largebin pointers as well.
As for the proposed patch, LGTM otherwise ;-)
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2020-05-08 19:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-08 3:35 [Bug malloc/25945] New: memory block return by tcache_get() may contain anather valid memory block pointer, leading to memory leak wangxuszcn at foxmail dot com
2020-05-08 9:51 ` [Bug malloc/25945] " wangxuszcn at foxmail dot com
2020-05-08 12:48 ` [Bug malloc/25945] memory block return by tcache_get() may contain anather valid memory block pointer, leading to information disclosure wangxuszcn at foxmail dot com
2020-05-08 13:03 ` wangxuszcn at foxmail dot com
2020-05-08 16:19 ` carlos at redhat dot com
2020-05-08 16:20 ` [Bug malloc/25945] ASLR information leak via Safe-Linking and tcache or fastbin chunks carlos at redhat dot com
2020-05-08 16:20 ` fweimer at redhat dot com
2020-05-08 16:23 ` fweimer at redhat dot com
2020-05-08 16:44 ` carlos at redhat dot com
2020-05-08 19:18 ` dj at redhat dot com [this message]
2020-05-09 3:40 ` wangxuszcn at foxmail dot com
2020-05-09 3:45 ` wangxuszcn at foxmail dot com
2020-05-13 15:22 ` carlos at redhat dot com
2020-05-15 2:04 ` wangxuszcn at foxmail dot com
2020-05-15 6:44 ` wangxuszcn at foxmail dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-25945-131-9oVxzLvOCK@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).