From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id ABB033851C2D; Sat,  9 May 2020 03:40:36 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org ABB033851C2D
From: "wangxuszcn at foxmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug malloc/25945] ASLR information leak via Safe-Linking and tcache
 or fastbin chunks.
Date: Sat, 09 May 2020 03:40:36 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: malloc
X-Bugzilla-Version: 2.26
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: wangxuszcn at foxmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security?
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-25945-131-o8VnMKeub5@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-25945-131@http.sourceware.org/bugzilla/>
References: <bug-25945-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sat, 09 May 2020 03:40:36 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D25945

--- Comment #7 from wangxu <wangxuszcn at foxmail dot com> ---
Thanks for patient reply.
I'm considering whether there's a more blanket solution. Thanks again.

BTW, is it better to give a change to perturb pointers returned by
tcache_get(), using alloc_perturb (p, bytes) ?

patches may be like this:

diff --git a/malloc/malloc.c b/malloc/malloc.c
index e8abb4e..057e5ad 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3108,7 +3108,9 @@ __libc_malloc (size_t bytes)
       && tcache
       && tcache->counts[tc_idx] > 0)
     {
-      return tcache_get (tc_idx);
+      void *p =3D tcache_get (tc_idx);
+      alloc_perturb (p, bytes);
+      return p;
     }
   DIAG_POP_NEEDS_COMMENT;
 #endif
@@ -3963,7 +3965,9 @@ _int_malloc (mstate av, size_t bytes)
          && mp_.tcache_unsorted_limit > 0
          && tcache_unsorted_count > mp_.tcache_unsorted_limit)
        {
-     return tcache_get (tc_idx);
+   void *p =3D tcache_get (tc_idx);
+   alloc_perturb (p, bytes);
+   return p;
        }
 #endif

@@ -3976,7 +3980,9 @@ _int_malloc (mstate av, size_t bytes)
       /* If all the small chunks we found ended up cached, return one now.=
  */
       if (return_cached)
        {
-     return tcache_get (tc_idx);
+   void *p =3D tcache_get (tc_idx);
+   alloc_perturb (p, bytes);
+   return p;
        }

--=20
You are receiving this mail because:
You are on the CC list for the bug.=