From: Martin Sebor <msebor@redhat.com>
To: Federico Manuel Bento <up201407890@fc.up.pt>, fweimer@redhat.com
Cc: libc-alpha@sourceware.org
Subject: Re: use-after-free / double-free exploit mitigation
Date: Sun, 10 Sep 2017 15:41:00 -0000 [thread overview]
Message-ID: <861608b3-d303-ecef-ef7c-87bc7c490aab@redhat.com> (raw)
In-Reply-To: <986259aa319e2c3b66a6196b589a0a60@fc.up.pt>
On 09/09/2017 11:59 AM, Federico Manuel Bento wrote:
>>>> On 09/06/2017 02:46 PM, up201407890@alunos.dcc.fc.up.pt wrote:
>>>> What are your thoughts on adding a SAFE_FREE() macro to glibc:
>
>>>> #define SAFE_FREE(x) do { if((x) != 0x0) { free(x); (x) = (void
>>>> *)0x1; }
>>>> } while(0)
>
>>>> After free(x), we set x to an address that will crash when dereferenced
>>>> (use-after-free), and will also crash when it's an argument to free().
>>>> Note that NULL isn't used, because free(NULL) does nothing, which might
>>>> hide potential double-free bugs.
>
>>> Maybe GCC should optionally do this for the actual call to free. There
>>> is some debate to what extend pointer *values* remain valid after free.
>>> Martin Sebor may have some thought on that.
>
>>> In any case, some GCC assistance is needed so that
>
>>> free (some_struct->ptr);
>>> free (some_struct);
>
>>> actually clobbers some_struct->ptr. I don't think we want to call out
>>> to explicit_bzero here.
>
>> One of the advantages of doing this in the compiler (besides not
>> having to change source code) is distinguishing rvalues from lvalues.
>
>> Martin
>
> Perhaps this sould be used when making use of FORTIFY_SOURCE?
That seems reasonable. David Malcolm has done some preliminary work
on a GCC maaloc/free optimization and diagnostic pass that might be
well suited to this sort of instrumentation. Opening an enhancement
request in GCC Bugzilla for this would help track interest in
the feature.
Martin
next prev parent reply other threads:[~2017-09-10 15:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-09 17:59 Federico Manuel Bento
2017-09-10 15:41 ` Martin Sebor [this message]
2017-09-11 15:36 ` Federico Manuel Bento
-- strict thread matches above, loose matches on Subject: below --
2017-09-06 12:47 up201407890
2017-09-07 16:00 ` Florian Weimer
2017-09-08 12:45 ` Martin Sebor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=861608b3-d303-ecef-ef7c-87bc7c490aab@redhat.com \
--to=msebor@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=up201407890@fc.up.pt \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).