This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18292] Invalid pointer dereference in nsswitch.c:nss_new_service()
- From: "jf at ownco dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 04 May 2015 14:33:24 +0000
- Subject: [Bug libc/18292] Invalid pointer dereference in nsswitch.c:nss_new_service()
- Auto-submitted: auto-generated
- References: <bug-18292-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18292
--- Comment #14 from Justin N. Ferguson <jf at ownco dot net> ---
> Consolidation only happens between chunks which are unused. The arena lock
> prevents a chunks from switching from unused to used during this processing.
> At least this is my understanding.
Well in the example I gave, there is no lock being held, but thinking about the
code a little more, you're okay in those circumstances because the only way
you're not is if _int_realloc() fails, which means the resize must be larger.
> That's a race in the calling application, I think.
We will agree to disagree here; all apologies for using bugzilla in this
manner.
In all earnest, there's a lot of things I'd like to do to improve the security
posture of the allocator, but I'm apprehensive about touching it because it's
sort of just waiting for a modification for things to blow up all over the
place.
Some areas that could be improved:
- Introduction of heap cookies in chunks or at least arenas
- Introduction of a bit to discern whether a block is use to quash issues with
fastbin's and free(a); free(b); free(a); double free patterns
- Improved randomization; currently ASLR is easy to break because it looks more
random than it actually is
- Patch the mremap code path and other mmap related code paths to prevent abuse
of unchecked prev_size in the event that size gets corrupted or similar
- While not strictly allocator related; the load order of modules should
probably be randomized.
- et cetera
--
You are receiving this mail because:
You are on the CC list for the bug.