From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 47227 invoked by alias); 8 Sep 2017 12:45:57 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 47214 invoked by uid 89); 8 Sep 2017 12:45:57 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=H*Ad:U*msebor X-HELO: mail-wm0-f43.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pNJEJRkJlj2W8dBwcQ6NH6zumHmUEWHOKXR/jcEGXEs=; b=mBYBcX0tBxOBcAVhG77Eh0gFbbTIdjVVbDrw/qZEkRfBw6JghQiMZQ0KfyU5vQdlIV mY4035/L16IjPRcY6xTFWLijFJrSfkf0R4q0bPLmN/U6TZkj6C4SHuYuU9A7PVJ3rlpi Y2ODlQ1pD2vxAB81jBAtniYdLhUqdd59XTp+45J04u/c0Qu/cPXQjYTmkAt3/lF6ZJjd tpTzCja8H6FoA12f8ee/IgAK/mtipeuP6UsPAbHlcXNrJO8EXj+bwGSUZI+4pN3N5MX7 /2wqfOSJptIUGH9YHDwLVjMrHvbsXxC1CSRaR8ZFhMExDVwPEUDuH08FNQznn+ynCMmW 85Cg== X-Gm-Message-State: AHPjjUjyIkI8F4uiGZi6MjYnQFx/I9Du/cLLoBMttKO+YfitN3bG6ijV wR4D1FH8CWBX/Py3Z0s= X-Google-Smtp-Source: AOwi7QCCSzL3f4yf/iG10suzbOffX+15tVW+KrslyGyOfuJKgG6jgPMjW1cZTjEXt2xjobBndtJApg== X-Received: by 10.28.154.138 with SMTP id c132mr1565908wme.2.1504874752794; Fri, 08 Sep 2017 05:45:52 -0700 (PDT) Subject: Re: use-after-free / double-free exploit mitigation To: Florian Weimer , up201407890@alunos.dcc.fc.up.pt, Martin Sebor References: <20170906144653.14363oywmmoc9ug4@webmail.alunos.dcc.fc.up.pt> <8feaa5bc-94f7-547c-c241-a82c41bd7472@redhat.com> Cc: libc-alpha@sourceware.org From: Martin Sebor Message-ID: Date: Fri, 08 Sep 2017 12:45:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <8feaa5bc-94f7-547c-c241-a82c41bd7472@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2017-09/txt/msg00378.txt.bz2 On 09/07/2017 10:00 AM, Florian Weimer wrote: > On 09/06/2017 02:46 PM, up201407890@alunos.dcc.fc.up.pt wrote: >> What are your thoughts on adding a SAFE_FREE() macro to glibc: >> >> #define SAFE_FREE(x) do { if((x) != 0x0) { free(x); (x) = (void *)0x1; } >> } while(0) >> >> After free(x), we set x to an address that will crash when dereferenced >> (use-after-free), and will also crash when it's an argument to free(). >> Note that NULL isn't used, because free(NULL) does nothing, which might >> hide potential double-free bugs. > > Maybe GCC should optionally do this for the actual call to free. There > is some debate to what extend pointer *values* remain valid after free. > Martin Sebor may have some thought on that. > > In any case, some GCC assistance is needed so that > > free (some_struct->ptr); > free (some_struct); > > actually clobbers some_struct->ptr. I don't think we want to call out > to explicit_bzero here. One of the advantages of doing this in the compiler (besides not having to change source code) is distinguishing rvalues from lvalues. Martin