[Bug malloc/25945] memory block return by tcache_get() may contain anather valid memory block pointer, leading to information disclosure

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/25945] memory block return by tcache_get()  may contain anather valid memory block pointer, leading to information disclosure
Date: Fri, 08 May 2020 16:19:51 +0000	[thread overview]
Message-ID: <bug-25945-131-UterhZBrFI@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-25945-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=25945

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com

--- Comment #3 from Carlos O'Donell <carlos at redhat dot com> ---
Wangxu,

Thank you very much for the report and the discussion of possible leakage of
the ASLR bits via chunk re-use.

Since we are only clearing an additional pointer-sized word per chunk, and the
chunk is already in cache (previously touched), the cost to change this
additional word is probably not measurable.

However, we need a little more because we want to prevent the disclosure of
ASLR bits in the tcache *and* fastbin chunks.

diff --git a/malloc/malloc.c b/malloc/malloc.c
index ee87ddbbf9..970e4b5e3d 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -2953,7 +2953,11 @@ tcache_get (size_t tc_idx)
     malloc_printerr ("malloc(): unaligned tcache chunk detected");
   tcache->entries[tc_idx] = REVEAL_PTR (e->next);
   --(tcache->counts[tc_idx]);
+  /* Clear the key to make free's double-free check effective.  */
   e->key = NULL;
+  /* Clear the Safe-Link'ed pointer to avoid a user from being
+     able to print this and expose ASLR bits.  */
+  e->next = NULL;
   return (void *) e;
 }

@@ -3613,6 +3617,7 @@ _int_malloc (mstate av, size_t bytes)
            *fb = REVEAL_PTR (victim->fd);
          else
            REMOVE_FB (fb, pp, victim);
+
          if (__glibc_likely (victim != NULL))
            {
              size_t victim_idx = fastbin_index (chunksize (victim));
@@ -3646,6 +3651,9 @@ _int_malloc (mstate av, size_t bytes)
                }
 #endif
              void *p = chunk2mem (victim);
+             /* Clear the Safe-Link'ed pointer to avoid a user from being
+                able to print this and expose ASLR bits.  */
+             victim->fd = NULL;
              alloc_perturb (p, bytes);
              return p;
            }
---

-- 
You are receiving this mail because:
You are on the CC list for the bug.

next prev parent reply	other threads:[~2020-05-08 16:19 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-08  3:35 [Bug malloc/25945] New: memory block return by tcache_get() may contain anather valid memory block pointer, leading to memory leak wangxuszcn at foxmail dot com
2020-05-08  9:51 ` [Bug malloc/25945] " wangxuszcn at foxmail dot com
2020-05-08 12:48 ` [Bug malloc/25945] memory block return by tcache_get() may contain anather valid memory block pointer, leading to information disclosure wangxuszcn at foxmail dot com
2020-05-08 13:03 ` wangxuszcn at foxmail dot com
2020-05-08 16:19 ` carlos at redhat dot com [this message]
2020-05-08 16:20 ` [Bug malloc/25945] ASLR information leak via Safe-Linking and tcache or fastbin chunks carlos at redhat dot com
2020-05-08 16:20 ` fweimer at redhat dot com
2020-05-08 16:23 ` fweimer at redhat dot com
2020-05-08 16:44 ` carlos at redhat dot com
2020-05-08 19:18 ` dj at redhat dot com
2020-05-09  3:40 ` wangxuszcn at foxmail dot com
2020-05-09  3:45 ` wangxuszcn at foxmail dot com
2020-05-13 15:22 ` carlos at redhat dot com
2020-05-15  2:04 ` wangxuszcn at foxmail dot com
2020-05-15  6:44 ` wangxuszcn at foxmail dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-25945-131-UterhZBrFI@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).