[Bug libc/18292] Invalid pointer dereference in nsswitch.c:nss_new_service()

["jf at ownco dot net" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=18292

--- Comment #14 from Justin N. Ferguson <jf at ownco dot net> ---

> Consolidation only happens between chunks which are unused.  The arena lock
> prevents a chunks from switching from unused to used during this processing.
> At least this is my understanding.

Well in the example I gave, there is no lock being held, but thinking about the
code a little more, you're okay in those circumstances because the only way
you're not is if _int_realloc() fails, which means the resize must be larger.


> That's a race in the calling application, I think.

We will agree to disagree here; all apologies for using bugzilla in this
manner.

In all earnest, there's a lot of things I'd like to do to improve the security
posture of the allocator, but I'm apprehensive about touching it because it's
sort of just waiting for a modification for things to blow up all over the
place. 

Some areas that could be improved:

- Introduction of heap cookies in chunks or at least arenas
- Introduction of a bit to discern whether a block is use to quash issues with
fastbin's and free(a); free(b); free(a); double free patterns
- Improved randomization; currently ASLR is easy to break because it looks more
random than it actually is 
- Patch the mremap code path and other mmap related code paths to prevent abuse
of unchecked prev_size in the event that size gets corrupted or similar 
- While not strictly allocator related; the load order of modules should
probably be randomized.
- et cetera

-- 
You are receiving this mail because:
You are on the CC list for the bug.