We currently perform a backtrace, flush stdio buffers (via abort), do string processing, and so on. There appear to be exploitation techniques which abuse the current behavior. This will allow us to remove the corrupted arena handling code. It is reportedly buggy.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via ec2c1fcefb200c6cb7e09553f3c6af8815013d83 (commit) from 9ce673b69e82578044958f66d93dcaddb23f6e95 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ec2c1fcefb200c6cb7e09553f3c6af8815013d83 commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Aug 30 16:39:41 2017 +0200 malloc: Abort on heap corruption, without a backtrace [BZ #21754] The stack trace printing caused deadlocks and has been itself been targeted by code execution exploits. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 9 +++++++++ NEWS | 8 ++++++++ malloc/malloc.c | 23 ++++------------------- manual/memory.texi | 20 +++++++++----------- manual/tunables.texi | 28 +++++++--------------------- 5 files changed, 37 insertions(+), 51 deletions(-)
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, master has been updated via ac3ed168d0c0b2b702319ac0db72c9b475a8c72e (commit) from 44bcba80f309b7517f8f954b0389e60eb421373b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ac3ed168d0c0b2b702319ac0db72c9b475a8c72e commit ac3ed168d0c0b2b702319ac0db72c9b475a8c72e Author: Florian Weimer <fweimer@redhat.com> Date: Wed Aug 30 19:29:38 2017 +0200 malloc: Remove check_action variable [BZ #21754] Clean up calls to malloc_printerr and trim its argument list. This also removes a few bits of work done before calling malloc_printerr (such as unlocking operations). The tunable/environment variable still enables the lightweight additional malloc checking, but mallopt (M_CHECK_ACTION) no longer has any effect. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 27 +++++++++ malloc/arena.c | 11 +--- malloc/hooks.c | 55 ++----------------- malloc/malloc.c | 152 ++++++++++----------------------------------------- manual/memory.texi | 1 - manual/probes.texi | 7 --- 6 files changed, 65 insertions(+), 188 deletions(-)
Fixed in 2.27.
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GNU C Library master sources". The branch, release/2.26/master has been updated via f312f235d535fac5c3ff2b0aa7cacb1958aa4529 (commit) via 3664f34346f26cd40f11ede0440af7b915d1086f (commit) via fe161827c50804fcd5a62c88d19c4d97d6ce2b8d (commit) via e759c32364cae6e5d309e70226de71af4caf5500 (commit) via 0e24837040c724b067ea95e978139f5df562067b (commit) via 590b24e6e066cbb7d3e5befbb665ed844fbca083 (commit) via 533afac92904cc6037b54469763105508b45ace0 (commit) via 675e8785dc66ea0dba39c65ee7cf1bc8d185e723 (commit) via ee717ed23df6a96200a9ec923700a73dae521200 (commit) via 87889967934d237b11f98945a96c46f0015445e0 (commit) from aaa2eb83b8b6623ddb9cea44445b5342f96100be (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f312f235d535fac5c3ff2b0aa7cacb1958aa4529 commit f312f235d535fac5c3ff2b0aa7cacb1958aa4529 Author: Wilco Dijkstra <wdijkstr@arm.com> Date: Tue Nov 28 19:16:19 2017 +0530 Add single-threaded path to _int_malloc This patch adds single-threaded fast paths to _int_malloc. * malloc/malloc.c (_int_malloc): Add SINGLE_THREAD_P path. (cherry-picked 905a7725e9157ea522d8ab97b4c8b96aeb23df54) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3664f34346f26cd40f11ede0440af7b915d1086f commit 3664f34346f26cd40f11ede0440af7b915d1086f Author: Wilco Dijkstra <wdijkstr@arm.com> Date: Tue Oct 24 12:39:24 2017 +0100 Add single-threaded path to malloc/realloc/calloc/memalloc This patch adds a single-threaded fast path to malloc, realloc, calloc and memalloc. When we're single-threaded, we can bypass arena_get (which always locks the arena it returns) and just use the main arena. Also avoid retrying a different arena since there is just the main arena. * malloc/malloc.c (__libc_malloc): Add SINGLE_THREAD_P path. (__libc_realloc): Likewise. (_mid_memalign): Likewise. (__libc_calloc): Likewise. (cherry-picked 3f6bb8a32e5f5efd78ac08c41e623651cc242a89) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fe161827c50804fcd5a62c88d19c4d97d6ce2b8d commit fe161827c50804fcd5a62c88d19c4d97d6ce2b8d Author: Wilco Dijkstra <wdijkstr@arm.com> Date: Tue Nov 28 19:15:13 2017 +0530 Fix build issue with SINGLE_THREAD_P Add sysdep-cancel.h include. * malloc/malloc.c (sysdep-cancel.h): Add include. (cherry-picked 6d43de4b85b11d26a19bebe4f55f31be16e3d419) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e759c32364cae6e5d309e70226de71af4caf5500 commit e759c32364cae6e5d309e70226de71af4caf5500 Author: Wilco Dijkstra <wdijkstr@arm.com> Date: Fri Oct 20 17:27:53 2017 +0100 Add single-threaded path to _int_free This patch adds single-threaded fast paths to _int_free. Bypass the explicit locking for larger allocations. * malloc/malloc.c (_int_free): Add SINGLE_THREAD_P fast paths. (cherry-picked from a15d53e2de4c7d83bda251469d92a3c7b49a90db) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0e24837040c724b067ea95e978139f5df562067b commit 0e24837040c724b067ea95e978139f5df562067b Author: Wilco Dijkstra <wdijkstr@arm.com> Date: Thu Oct 19 18:19:55 2017 +0100 Fix deadlock in _int_free consistency check This patch fixes a deadlock in the fastbin consistency check. If we fail the fast check due to concurrent modifications to the next chunk or system_mem, we should not lock if we already have the arena lock. Simplify the check to make it obviously correct. * malloc/malloc.c (_int_free): Fix deadlock bug in consistency check. (cherry-pick d74e6f6c0de55fc588b1ac09c88eb0fb8b8600af) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=590b24e6e066cbb7d3e5befbb665ed844fbca083 commit 590b24e6e066cbb7d3e5befbb665ed844fbca083 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Aug 31 14:55:11 2017 +0200 malloc: Resolve compilation failure in NDEBUG mode In _int_free, the locked variable is not used if NDEBUG is defined. (cherry-picked from 24cffce7366c4070d8f823702a4fcec2cb732595) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=533afac92904cc6037b54469763105508b45ace0 commit 533afac92904cc6037b54469763105508b45ace0 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Aug 31 12:02:59 2017 +0200 malloc: Change top_check return type to void After commit ec2c1fcefb200c6cb7e09553f3c6af8815013d83, (malloc: Abort on heap corruption, without a backtrace), the function always returns 0. (cherry-picked from 5129873a8e913e207e5f7b4b521c72f41a1bbf6d) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=675e8785dc66ea0dba39c65ee7cf1bc8d185e723 commit 675e8785dc66ea0dba39c65ee7cf1bc8d185e723 Author: Florian Weimer <fweimer@redhat.com> Date: Tue Nov 28 19:10:16 2017 +0530 malloc: Remove corrupt arena flag This is no longer needed because we now abort immediately once heap corruption is detected. (cherry-picked from a9da0bb2667ab20f1dbcd0a9ae6846db02fbc96a) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ee717ed23df6a96200a9ec923700a73dae521200 commit ee717ed23df6a96200a9ec923700a73dae521200 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Aug 30 19:29:38 2017 +0200 malloc: Remove check_action variable [BZ #21754] Clean up calls to malloc_printerr and trim its argument list. This also removes a few bits of work done before calling malloc_printerr (such as unlocking operations). The tunable/environment variable still enables the lightweight additional malloc checking, but mallopt (M_CHECK_ACTION) no longer has any effect. (cherry-picked from ac3ed168d0c0b2b702319ac0db72c9b475a8c72e) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=87889967934d237b11f98945a96c46f0015445e0 commit 87889967934d237b11f98945a96c46f0015445e0 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Aug 30 16:39:41 2017 +0200 malloc: Abort on heap corruption, without a backtrace [BZ #21754] The stack trace printing caused deadlocks and has been itself been targeted by code execution exploits. (cherry-picked from ec2c1fcefb200c6cb7e09553f3c6af8815013d83) ----------------------------------------------------------------------- Summary of changes: ChangeLog | 79 +++++++++++ NEWS | 10 ++ malloc/arena.c | 31 +---- malloc/hooks.c | 81 +++--------- malloc/malloc.c | 373 +++++++++++++++++++++----------------------------- manual/memory.texi | 21 ++-- manual/probes.texi | 7 - manual/tunables.texi | 28 +--- 8 files changed, 281 insertions(+), 349 deletions(-)
*** Bug 20066 has been marked as a duplicate of this bug. ***