This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: use-after-free / double-free exploit mitigation
- From: Florian Weimer <fweimer at redhat dot com>
- To: up201407890 at alunos dot dcc dot fc dot up dot pt, Martin Sebor <msebor at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Thu, 7 Sep 2017 18:00:39 +0200
- Subject: Re: use-after-free / double-free exploit mitigation
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=fweimer at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 915FB4E334
- References: <20170906144653.14363oywmmoc9ug4@webmail.alunos.dcc.fc.up.pt>
On 09/06/2017 02:46 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> What are your thoughts on adding a SAFE_FREE() macro to glibc:
>
> #define SAFE_FREE(x) do { if((x) != 0x0) { free(x); (x) = (void *)0x1; }
> } while(0)
>
> After free(x), we set x to an address that will crash when dereferenced
> (use-after-free), and will also crash when it's an argument to free().
> Note that NULL isn't used, because free(NULL) does nothing, which might
> hide potential double-free bugs.
Maybe GCC should optionally do this for the actual call to free. There
is some debate to what extend pointer *values* remain valid after free.
Martin Sebor may have some thought on that.
In any case, some GCC assistance is needed so that
free (some_struct->ptr);
free (some_struct);
actually clobbers some_struct->ptr. I don't think we want to call out
to explicit_bzero here.
Thanks,
Florian