diff mbox

[0/1] Improved double free detection in the tcache.

Message ID ad1603799cd4eb35e3e710723693ad7f@fau.de (mailing list archive)
State Changes Requested
Delegated to: Wilco Dijkstra
Headers

Commit Message

Lau, David April 4, 2025, 2:26 p.m. UTC 
  From 58d14d7734d7f912805e220668f86cf8fb1ff6a3 Mon Sep 17 00:00:00 2001
From: David Lau <david.lau@fau.de>
Date: Fri, 4 Apr 2025 16:16:14 +0200
Subject: [PATCH 0/1] Improved double free detection in the tcache.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To: libc-alpha@sourceware.org

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

Signed-off-by:  David Lau <david.lau@fau.de>

David Lau (1):
  malloc: Improved double free detection in the tcache.

 malloc/malloc.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)
diff mbox

Patch

From 58d14d7734d7f912805e220668f86cf8fb1ff6a3 Mon Sep 17 00:00:00 2001
From: David Lau <david.lau@fau.de>
Date: Fri, 4 Apr 2025 14:25:26 +0200
Subject: [PATCH 1/1] malloc: Improved double free detection in the tcache.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To: libc-alpha@sourceware.org

Problem:
The previous double free detection didn’t account for an attacker to
use a Poison Null Byte to change the size of a memory chunk
is beeing sorted into.
So that the check in 'tcache_double_free_verify' would pass
even though it is a double free.

Alternatives Considered:
- Store the size of a memory chunk in big endian and thus
  the chunk size would not get overwritten because entrys in the
  tcache are not that big.

- Move the tcache_key before the actual memory chunk so that it
  does not have to be checked at all, this would work better in generall
  but also it would increase the memory usage.

Signed-off-by:  David Lau <david.lau@fau.de>
---
 malloc/malloc.c | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/malloc/malloc.c b/malloc/malloc.c
index a0bc733482..330ff78afe 100644
--- a/malloc/malloc.c
+++ b/malloc/malloc.c
@@ -3226,23 +3226,26 @@  tcache_available (size_t tc_idx)
 /* Verify if the suspicious tcache_entry is double free.
    It's not expected to execute very often, mark it as noinline.  */
 static __attribute__ ((noinline)) void
-tcache_double_free_verify (tcache_entry *e, size_t tc_idx)
+tcache_double_free_verify (tcache_entry *e)
 {
   tcache_entry *tmp;
   size_t cnt = 0;
   LIBC_PROBE (memory_tcache_double_free, 2, e, tc_idx);
-  for (tmp = tcache->entries[tc_idx];
-       tmp;
-       tmp = REVEAL_PTR (tmp->next), ++cnt)
+  for (size_t tc_idx = 0; tc_idx < TCACHE_MAX_BINS; ++tc_idx)
     {
-      if (cnt >= mp_.tcache_count)
-	malloc_printerr ("free(): too many chunks detected in tcache");
-      if (__glibc_unlikely (!aligned_OK (tmp)))
-	malloc_printerr ("free(): unaligned chunk detected in tcache 2");
-      if (tmp == e)
-	malloc_printerr ("free(): double free detected in tcache 2");
-      /* If we get here, it was a coincidence.  We've wasted a
-	 few cycles, but don't abort.  */
+      for (tmp = tcache->entries[tc_idx];
+           tmp;
+           tmp = REVEAL_PTR (tmp->next), ++cnt)
+        {
+          if (cnt >= mp_.tcache_count)
+    	malloc_printerr ("free(): too many chunks detected in tcache");
+          if (__glibc_unlikely (!aligned_OK (tmp)))
+    	malloc_printerr ("free(): unaligned chunk detected in tcache 2");
+          if (tmp == e)
+    	malloc_printerr ("free(): double free detected in tcache 2");
+          /* If we get here, it was a coincidence.  We've wasted a
+    	 few cycles, but don't abort.  */
+        }
     }
 }
 
@@ -3263,7 +3266,7 @@  tcache_free (mchunkptr p, INTERNAL_SIZE_T size)
 	 2^<size_t> chance), so verify it's not an unlikely
 	 coincidence before aborting.  */
       if (__glibc_unlikely (e->key == tcache_key))
-	tcache_double_free_verify (e, tc_idx);
+	tcache_double_free_verify (e);
 
       if (tcache->counts[tc_idx] < mp_.tcache_count)
 	{
-- 
2.34.1