This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH 3/5] Add single-threaded path to _int_free

DJ Delorie wrote:
> Wilco Dijkstra <Wilco.Dijkstra@arm.com> writes:
> > How often do we iterate more than once? And what are the chances that
> > when there is contention, the block at the top of the bin is the same
> > as the one we're trying to insert but the older one we checked isn't?
>
> Sadly, these are the cases that Bad Guys can create and take advantage
> of to infect systems.  Removing a test should never be done without
> extreme forethought and consideration.

If that's the case then why isn't a double free checked everywhere?

I can free a block many times without getting any errors. It just gets added
to the tcache without any consistency checks! Also freeing a block into
the fastbin even if it is already in the fastbin is not detected. Even repeatedly
freeing the same block after the undetected double free goes completely
undetected despite the supposed check...

So I think any security features need to be well designed and supported.
Doing checks that are completely ineffective doesn't make sense -
that just adds unnecessary overhead while providing no actual security
benefit (in fact it gives a false sense of security which is even worse...).

Wilco
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]