From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-84303-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 35247 invoked by alias); 7 Sep 2017 16:00:53 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 35236 invoked by uid 89); 7 Sep 2017 16:00:53 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=D*pt
X-HELO: mx1.redhat.com
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 915FB4E334
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer@redhat.com
Subject: Re: use-after-free / double-free exploit mitigation
References: <20170906144653.14363oywmmoc9ug4@webmail.alunos.dcc.fc.up.pt>
Cc: libc-alpha@sourceware.org
To: up201407890@alunos.dcc.fc.up.pt, Martin Sebor <msebor@redhat.com>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <8feaa5bc-94f7-547c-c241-a82c41bd7472@redhat.com>
Date: Thu, 07 Sep 2017 16:00:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <20170906144653.14363oywmmoc9ug4@webmail.alunos.dcc.fc.up.pt>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-SW-Source: 2017-09/txt/msg00301.txt.bz2

On 09/06/2017 02:46 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> What are your thoughts on adding a SAFE_FREE() macro to glibc:
> 
> #define SAFE_FREE(x) do { if((x) != 0x0) { free(x); (x) = (void *)0x1; }
> } while(0)
> 
> After free(x), we set x to an address that will crash when dereferenced
> (use-after-free), and will also crash when it's an argument to free().
> Note that NULL isn't used, because free(NULL) does nothing, which might
> hide potential double-free bugs.

Maybe GCC should optionally do this for the actual call to free.  There
is some debate to what extend pointer *values* remain valid after free.
Martin Sebor may have some thought on that.

In any case, some GCC assistance is needed so that

  free (some_struct->ptr);
  free (some_struct);

actually clobbers some_struct->ptr.  I don't think we want to call out
to explicit_bzero here.

Thanks,
Florian