From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-90154-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 111039 invoked by alias); 8 Feb 2018 21:31:04 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 111030 invoked by uid 89); 8 Feb 2018 21:31:03 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.1 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=itis, hey
X-HELO: mail-pg0-f53.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:from:subject:message-id:date:user-agent
         :mime-version:content-language:content-transfer-encoding;
        bh=VcSdjSHyXTHMj/4ExXHyhWbhR2qUTTzfohsG+R0nTGI=;
        b=S6pW4jeku+oIF7tHj4yTypRXtoXiW2iWI1YhZRQQGIaE/6Ko/PxN6KJqcmWZuL7AfY
         AlbPtJ5UDjBOV0PaFvC3Yv3jlpBOvZC8GC1ZF/jiDhEWHAlGS+MfQXbeIBusU4fiPbUI
         6LKgFWuVW9V5cL1/oNyj35HTmu7mGnp7nQnvFrhUoeUYtkpzl1LLA1II3lNg9zDJULPY
         e/BM0Go5FmEOpwpGStZSjeaPA1QPAUhtXmb8UDT4aseIxFIoSRNG8dU6nG8svTJJR9mc
         5oJqMX7G90cPMNhbXm4AQi07e9D6UdOJU+QlNfQEDhtYA1ykJ1xyEyZe4KCzGrt3CdEC
         IV5w==
X-Gm-Message-State: APf1xPCPZJmMoBsqlswyPu8VA9Z0tzluGskf9/bvxjj78b4GEKCw7MUr
	KahpwTHu3GDg3tD/NdTNLtQN95UV
X-Google-Smtp-Source: AH8x226WYkCVNWY4HEaaTZKLNzaz2mnllOGh9wJz3MA3pletmJysvxUGgA64XrvyOToSqGwg1aZNWQ==
X-Received: by 10.98.220.6 with SMTP id t6mr444025pfg.20.1518125460432;
        Thu, 08 Feb 2018 13:31:00 -0800 (PST)
To: libc-alpha@sourceware.org
From: Moritz Eckert <m.eckert@cs.ucsb.edu>
Subject: malloc: Security implications of tcache
Message-ID: <1c1360fb-0755-f201-9daf-b64c31c62970@cs.ucsb.edu>
Date: Thu, 08 Feb 2018 21:39:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SW-Source: 2018-02/txt/msg00300.txt.bz2

Hey,

I was wondering if people are aware of the security implications of the 
tcache structure?

Itis operating in similar fashion to the fastbin free-list, but without 
any security checks at all to detect memory corruptions.
This leads back to unconstrained writes and unconstrained arbitrary 
allocations, similar to the times of dlmalloc.
Eventually, this makes all the security checks introduced before rather 
pointless, as they are bypassed completely by design.

There is no real fix to this problem, apart from disabling the tcache of 
course, so I was wondering what lead to the decision to remove security 
checks in this context?

Thank you,
Moritz