This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Thread stack and heap caches - CVE-2019-1010024
- From: Vinay Kumar <vinay dot m dot engg at gmail dot com>
- To: libc-alpha at sourceware dot org
- Cc: fweimer at redhat dot com, carlos at redhat dot com
- Date: Mon, 4 Nov 2019 16:39:58 +0530
- Subject: Thread stack and heap caches - CVE-2019-1010024
Hi,
Regarding bug related to Thread stack and heap caches (CVE-2019-1010024).
https://sourceware.org/bugzilla/show_bug.cgi?id=22852
>> One way to harden is to use a tunable for a thread stack cache, and set that to zero.
Below change in glibc allocatestack.c file gives the expected output
with test case. Verified on x86_64 target.
=======================================================
--- a/nptl/allocatestack.c
+++ b/nptl/allocatestack.c
@@ -186,6 +186,7 @@ get_cached_stack (size_t *sizep, void **memp)
struct pthread *curr;
curr = list_entry (entry, struct pthread, list);
+ curr->stackblock_size = 0;
if (FREE_P (curr) && curr->stackblock_size >= size)
{
if (curr->stackblock_size == size)
=======================================================
Output with above patch in glibc trunk:
strace -e mmap,munmap ./thread.out
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f387b0df000
mmap(NULL, 139704, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f387b0bc000
mmap(0x7f387b0c3000, 65536, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f387b0c3000
mmap(0x7f387b0d3000, 20480, PROT_READ,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f387b0d3000
mmap(0x7f387b0d9000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7f387b0d9000
mmap(0x7f387b0db000, 12728, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f387b0db000
mmap(NULL, 1774424, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f387af0a000
mmap(0x7f387af2f000, 1277952, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7f387af2f000
mmap(0x7f387b067000, 303104, PROT_READ,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15d000) = 0x7f387b067000
mmap(0x7f387b0b2000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a7000) = 0x7f387b0b2000
mmap(0x7f387b0b8000, 13144, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f387b0b8000
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f387af07000
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK,
-1, 0) = 0x7f387a706000
addr: 0x7f387af03ee0
value deadbeef
malloced 0x7f3874000f70
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK,
-1, 0) = 0x7f3879f05000
addr: 0x7f387a702ee0
value 0
malloced 0x7f3874000f70
+++ exited with 0 +++
Re-sending due to bounce back of previous mail.
Regards,
Vinay