aboutsummaryrefslogtreecommitdiff
path: root/nss
diff options
context:
space:
mode:
authorSiddhesh Poyarekar <siddhesh@sourceware.org>2021-07-07 23:02:46 +0530
committerSiddhesh Poyarekar <siddhesh@sourceware.org>2021-07-08 01:39:38 +0530
commitfc859c304898a5ec72e0ba5269ed136ed0ea10e1 (patch)
treef060c61e0954f04cf4d01df4a7bc1a56e3cf5a70 /nss
parentf9c8b11ed7726b858cd7b7cea0d3d7c5233d78cf (diff)
downloadglibc-fc859c304898a5ec72e0ba5269ed136ed0ea10e1.zip
glibc-fc859c304898a5ec72e0ba5269ed136ed0ea10e1.tar.gz
glibc-fc859c304898a5ec72e0ba5269ed136ed0ea10e1.tar.bz2
Harden tcache double-free check
The tcache allocator layer uses the tcache pointer as a key to identify a block that may be freed twice. Since this is in the application data area, an attacker exploiting a use-after-free could potentially get access to the entire tcache structure through this key. A detailed write-up was provided by Awarau here: https://awaraucom.wordpress.com/2020/07/19/house-of-io-remastered/ Replace this static pointer use for key checking with one that is generated at malloc initialization. The first attempt is through getrandom with a fallback to random_bits(), which is a simple pseudo-random number generator based on the clock. The fallback ought to be sufficient since the goal of the randomness is only to make the key arbitrary enough that it is very unlikely to collide with user data. Co-authored-by: Eyal Itkin <eyalit@checkpoint.com>
Diffstat (limited to 'nss')
0 files changed, 0 insertions, 0 deletions