| commit | fc859c304898a5ec72e0ba5269ed136ed0ea10e1 | |
| author | Siddhesh Poyarekar <siddhesh@sourceware.org> | |
| Wed, 7 Jul 2021 17:32:46 +0000 (7 23:02 +0530) | ||
| committer | Siddhesh Poyarekar <siddhesh@sourceware.org> | |
| Wed, 7 Jul 2021 20:09:38 +0000 (8 01:39 +0530) | ||
| tree | f060c61e0954f04cf4d01df4a7bc1a56e3cf5a70 | treesnapshot (tar.gz zip) |
| parent | f9c8b11ed7726b858cd7b7cea0d3d7c5233d78cf | commitdiff |
Harden tcache double-free check
The tcache allocator layer uses the tcache pointer as a key to
identify a block that may be freed twice. Since this is in the
application data area, an attacker exploiting a use-after-free could
potentially get access to the entire tcache structure through this
key. A detailed write-up was provided by Awarau here:
https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
Replace this static pointer use for key checking with one that is
generated at malloc initialization. The first attempt is through
getrandom with a fallback to random_bits(), which is a simple
pseudo-random number generator based on the clock. The fallback ought
to be sufficient since the goal of the randomness is only to make the
key arbitrary enough that it is very unlikely to collide with user
data.
Co-authored-by: Eyal Itkin <eyalit@checkpoint.com>
The tcache allocator layer uses the tcache pointer as a key to
identify a block that may be freed twice. Since this is in the
application data area, an attacker exploiting a use-after-free could
potentially get access to the entire tcache structure through this
key. A detailed write-up was provided by Awarau here:
https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/
Replace this static pointer use for key checking with one that is
generated at malloc initialization. The first attempt is through
getrandom with a fallback to random_bits(), which is a simple
pseudo-random number generator based on the clock. The fallback ought
to be sufficient since the goal of the randomness is only to make the
key arbitrary enough that it is very unlikely to collide with user
data.
Co-authored-by: Eyal Itkin <eyalit@checkpoint.com>
| malloc/arena.c | diffblobblamehistory | |
| malloc/malloc.c | diffblobblamehistory |