Bug 21754 - malloc: Perform as little work as possible after heap consistency check failures
Summary: malloc: Perform as little work as possible after heap consistency check failures
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: malloc (show other bugs)
Version: 2.26
: P2 normal
Target Milestone: 2.27
Assignee: Florian Weimer
URL:
Keywords:
: 20066 (view as bug list)
Depends on:
Blocks: 21046
  Show dependency treegraph
 
Reported: 2017-07-12 00:02 UTC by Florian Weimer
Modified: 2021-07-14 03:00 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2017-07-12 00:02:03 UTC
We currently perform a backtrace, flush stdio buffers (via abort), do string processing, and so on.  There appear to be exploitation techniques which abuse the current behavior.

This will allow us to remove the corrupted arena handling code.  It is reportedly buggy.
Comment 1 cvs-commit@gcc.gnu.org 2017-08-30 14:56:24 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  ec2c1fcefb200c6cb7e09553f3c6af8815013d83 (commit)
      from  9ce673b69e82578044958f66d93dcaddb23f6e95 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ec2c1fcefb200c6cb7e09553f3c6af8815013d83

commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Aug 30 16:39:41 2017 +0200

    malloc: Abort on heap corruption, without a backtrace [BZ #21754]
    
    The stack trace printing caused deadlocks and has been itself been
    targeted by code execution exploits.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    9 +++++++++
 NEWS                 |    8 ++++++++
 malloc/malloc.c      |   23 ++++-------------------
 manual/memory.texi   |   20 +++++++++-----------
 manual/tunables.texi |   28 +++++++---------------------
 5 files changed, 37 insertions(+), 51 deletions(-)
Comment 2 cvs-commit@gcc.gnu.org 2017-08-30 18:10:13 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  ac3ed168d0c0b2b702319ac0db72c9b475a8c72e (commit)
      from  44bcba80f309b7517f8f954b0389e60eb421373b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ac3ed168d0c0b2b702319ac0db72c9b475a8c72e

commit ac3ed168d0c0b2b702319ac0db72c9b475a8c72e
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Aug 30 19:29:38 2017 +0200

    malloc: Remove check_action variable [BZ #21754]
    
    Clean up calls to malloc_printerr and trim its argument list.
    
    This also removes a few bits of work done before calling
    malloc_printerr (such as unlocking operations).
    
    The tunable/environment variable still enables the lightweight
    additional malloc checking, but mallopt (M_CHECK_ACTION)
    no longer has any effect.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog          |   27 +++++++++
 malloc/arena.c     |   11 +---
 malloc/hooks.c     |   55 ++-----------------
 malloc/malloc.c    |  152 ++++++++++-----------------------------------------
 manual/memory.texi |    1 -
 manual/probes.texi |    7 ---
 6 files changed, 65 insertions(+), 188 deletions(-)
Comment 3 Florian Weimer 2017-08-30 18:12:23 UTC
Fixed in 2.27.
Comment 4 cvs-commit@gcc.gnu.org 2017-11-28 14:11:32 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  f312f235d535fac5c3ff2b0aa7cacb1958aa4529 (commit)
       via  3664f34346f26cd40f11ede0440af7b915d1086f (commit)
       via  fe161827c50804fcd5a62c88d19c4d97d6ce2b8d (commit)
       via  e759c32364cae6e5d309e70226de71af4caf5500 (commit)
       via  0e24837040c724b067ea95e978139f5df562067b (commit)
       via  590b24e6e066cbb7d3e5befbb665ed844fbca083 (commit)
       via  533afac92904cc6037b54469763105508b45ace0 (commit)
       via  675e8785dc66ea0dba39c65ee7cf1bc8d185e723 (commit)
       via  ee717ed23df6a96200a9ec923700a73dae521200 (commit)
       via  87889967934d237b11f98945a96c46f0015445e0 (commit)
      from  aaa2eb83b8b6623ddb9cea44445b5342f96100be (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f312f235d535fac5c3ff2b0aa7cacb1958aa4529

commit f312f235d535fac5c3ff2b0aa7cacb1958aa4529
Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Tue Nov 28 19:16:19 2017 +0530

    Add single-threaded path to _int_malloc
    
    This patch adds single-threaded fast paths to _int_malloc.
    
    	* malloc/malloc.c (_int_malloc): Add SINGLE_THREAD_P path.
    
    (cherry-picked 905a7725e9157ea522d8ab97b4c8b96aeb23df54)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3664f34346f26cd40f11ede0440af7b915d1086f

commit 3664f34346f26cd40f11ede0440af7b915d1086f
Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Tue Oct 24 12:39:24 2017 +0100

    Add single-threaded path to malloc/realloc/calloc/memalloc
    
    This patch adds a single-threaded fast path to malloc, realloc,
    calloc and memalloc.  When we're single-threaded, we can bypass
    arena_get (which always locks the arena it returns) and just use
    the main arena.  Also avoid retrying a different arena since
    there is just the main arena.
    
    	* malloc/malloc.c (__libc_malloc): Add SINGLE_THREAD_P path.
    	(__libc_realloc): Likewise.
    	(_mid_memalign): Likewise.
    	(__libc_calloc): Likewise.
    
    (cherry-picked 3f6bb8a32e5f5efd78ac08c41e623651cc242a89)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fe161827c50804fcd5a62c88d19c4d97d6ce2b8d

commit fe161827c50804fcd5a62c88d19c4d97d6ce2b8d
Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Tue Nov 28 19:15:13 2017 +0530

    Fix build issue with SINGLE_THREAD_P
    
    Add sysdep-cancel.h include.
    
    	* malloc/malloc.c (sysdep-cancel.h): Add include.
    
    (cherry-picked 6d43de4b85b11d26a19bebe4f55f31be16e3d419)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e759c32364cae6e5d309e70226de71af4caf5500

commit e759c32364cae6e5d309e70226de71af4caf5500
Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Fri Oct 20 17:27:53 2017 +0100

    Add single-threaded path to _int_free
    
    This patch adds single-threaded fast paths to _int_free.
    Bypass the explicit locking for larger allocations.
    
    	* malloc/malloc.c (_int_free): Add SINGLE_THREAD_P fast paths.
    
    (cherry-picked from a15d53e2de4c7d83bda251469d92a3c7b49a90db)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0e24837040c724b067ea95e978139f5df562067b

commit 0e24837040c724b067ea95e978139f5df562067b
Author: Wilco Dijkstra <wdijkstr@arm.com>
Date:   Thu Oct 19 18:19:55 2017 +0100

    Fix deadlock in _int_free consistency check
    
    This patch fixes a deadlock in the fastbin consistency check.
    If we fail the fast check due to concurrent modifications to
    the next chunk or system_mem, we should not lock if we already
    have the arena lock.  Simplify the check to make it obviously
    correct.
    
    	* malloc/malloc.c (_int_free): Fix deadlock bug in consistency check.
    
    (cherry-pick d74e6f6c0de55fc588b1ac09c88eb0fb8b8600af)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=590b24e6e066cbb7d3e5befbb665ed844fbca083

commit 590b24e6e066cbb7d3e5befbb665ed844fbca083
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Aug 31 14:55:11 2017 +0200

    malloc: Resolve compilation failure in NDEBUG mode
    
    In _int_free, the locked variable is not used if NDEBUG is defined.
    
    (cherry-picked from 24cffce7366c4070d8f823702a4fcec2cb732595)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=533afac92904cc6037b54469763105508b45ace0

commit 533afac92904cc6037b54469763105508b45ace0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Aug 31 12:02:59 2017 +0200

    malloc: Change top_check return type to void
    
    After commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83,
    (malloc: Abort on heap corruption, without a backtrace), the function
    always returns 0.
    
    (cherry-picked from 5129873a8e913e207e5f7b4b521c72f41a1bbf6d)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=675e8785dc66ea0dba39c65ee7cf1bc8d185e723

commit 675e8785dc66ea0dba39c65ee7cf1bc8d185e723
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Nov 28 19:10:16 2017 +0530

    malloc: Remove corrupt arena flag
    
    This is no longer needed because we now abort immediately
    once heap corruption is detected.
    
    (cherry-picked from a9da0bb2667ab20f1dbcd0a9ae6846db02fbc96a)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee717ed23df6a96200a9ec923700a73dae521200

commit ee717ed23df6a96200a9ec923700a73dae521200
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Aug 30 19:29:38 2017 +0200

    malloc: Remove check_action variable [BZ #21754]
    
    Clean up calls to malloc_printerr and trim its argument list.
    
    This also removes a few bits of work done before calling
    malloc_printerr (such as unlocking operations).
    
    The tunable/environment variable still enables the lightweight
    additional malloc checking, but mallopt (M_CHECK_ACTION)
    no longer has any effect.
    
    (cherry-picked from ac3ed168d0c0b2b702319ac0db72c9b475a8c72e)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=87889967934d237b11f98945a96c46f0015445e0

commit 87889967934d237b11f98945a96c46f0015445e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Aug 30 16:39:41 2017 +0200

    malloc: Abort on heap corruption, without a backtrace [BZ #21754]
    
    The stack trace printing caused deadlocks and has been itself been
    targeted by code execution exploits.
    
    (cherry-picked from ec2c1fcefb200c6cb7e09553f3c6af8815013d83)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |   79 +++++++++++
 NEWS                 |   10 ++
 malloc/arena.c       |   31 +----
 malloc/hooks.c       |   81 +++---------
 malloc/malloc.c      |  373 +++++++++++++++++++++-----------------------------
 manual/memory.texi   |   21 ++--
 manual/probes.texi   |    7 -
 manual/tunables.texi |   28 +---
 8 files changed, 281 insertions(+), 349 deletions(-)
Comment 5 Siddhesh Poyarekar 2021-07-14 03:00:43 UTC
*** Bug 20066 has been marked as a duplicate of this bug. ***