[suggestion] tcache double-free check
Carlos O'Donell
carlos@redhat.com
Thu Jul 23 02:35:40 GMT 2020
On 7/21/20 2:03 AM, Florian Weimer wrote:
> * Carlos O'Donell:
>
>>> Instead of using some arbitrary constant or coming up with a fancy
>>> random value, is it possible we update the key to something that won't
>>> point to a critical memory management struct such as the tcache
>>> control block? I suggest a simple change that will ensure that the
>>> value used won't be a pointer that can be dereferenced: ~tcache
>>> (instead of tcache). The bitwise not costs a mere 1 CPU cycle, while
>>> making sure the key won't be a valid memory address.
>>
>> That sounds good to me.
>>
>> I assume the point being that you can't use a "memory derefernce"
>> gadget directly with that memory, you'd need some other primitive
>> to process the ~tcache.
>
> Why can't we use a random marker value? Then we don't leak an address,
> either.
I'm not against it, but we'd need something that is random, and for that
we need entropy. What have we got to use?
--
Cheers,
Carlos.
More information about the Libc-alpha
mailing list