From patchwork Tue Feb 25 17:13:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Kallus X-Patchwork-Id: 107069 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C86883858CDA for ; Tue, 25 Feb 2025 17:14:24 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C86883858CDA Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=dartmouth.edu header.i=@dartmouth.edu header.a=rsa-sha256 header.s=google1 header.b=Rv5a6vYM X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) by sourceware.org (Postfix) with ESMTPS id A26FE3858D26 for ; Tue, 25 Feb 2025 17:13:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A26FE3858D26 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=dartmouth.edu Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=dartmouth.edu ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A26FE3858D26 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::732 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1740503627; cv=none; b=T+IfbMO2RQDlB09OI9oWI9MLN/U6EFKhne/ewTlB6CZ1lAmvJfKMNU8PGVXF1QBPE0LWGsExmB6nmOzqg8lHlcV+ogiJIhxWDiQQkywJ1YnKPbPddn6Vony8RjU4rdQ8FiLm4UiONtJ1njEAj9KFe3TJffQEJfd6UBDO8+1sk4U= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1740503627; c=relaxed/simple; bh=fcK6zMYwlh8iguzI72ZFTD1QBnuMuFtAvbMvxyRsoP8=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=JLR7Y3/GhEt60yZWLY+0dzYhETfcObOuV97MFMO5v55Tb0QnDLFWB6XOSxh2KUl9C2IDcaNLAxM76zdaRyJbQDtLEeH9du7KQ4rOaAKIL0ZbB4QvzQtrrlotHWx/vJjO4OpMNleBDDRG9/2acm9wvZh8H+y7hNpw2I/Pzal9jdE= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A26FE3858D26 Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-7c0a1677aebso536922985a.0 for ; Tue, 25 Feb 2025 09:13:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dartmouth.edu; s=google1; t=1740503627; x=1741108427; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LtawJD6LUM1dCcdWW95pS401YNN3PMRv07KSWi9Q0Nw=; b=Rv5a6vYMCZS4W9QNQKvrziAXRMJKZJ9edkHts0ZHZ07jdBxctALs9mNtHqIdiNNJuC 67T5ge8/ABniBSLSu3alyH1yDX32uNtBHq4gcBenqsRxLjSZdhHg93ttbG/VUdEF5Len ruKtjbgs9l2DzhFJ+YTKeH1WLGEZH2G+rW3d2oRV1PnvjgS61D2rslP5f6Hy8lyA3i5i 86agtXPDqSZCWb/fezS4ISBrx0FbAOScsAKU2SZwIvNKR4808v1DRw+0ZtKpsjpjps7q GM1EPjUxI1X+in7LgOF3Wt5OPgWLDnBoruD70Y1fHNsTZZcmN+BiR6QmlgdDILPxK4+B dBZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740503627; x=1741108427; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LtawJD6LUM1dCcdWW95pS401YNN3PMRv07KSWi9Q0Nw=; b=bCNQMEUfxEaqRbrcw/pLY+KUpLpYVCR69JfP+MlemKQHikpIfbvQ6b6jTN1yWR+3bq yxH+7J2Mof17fL6A3Pqat09zIcMHzRKk6MDmjAkMI11UcoP5W3QHNXXe8K9HGkr0HnRr haLw2b39aLdiimuVdfp+hK+wkmJ0p/zlyhc9/+RgqayrDQkiEtzdPHi+TBEVz7YGQjW8 K0PwVeSei/9Vz6gwdo9BPZMiHdDHdIEvuhuahj9ZhnMbQgrieJ7Uv+9AytEBu3a4HCAd Tpc3OTrniARsQ85tSsquSifzHwH2jeNZn9TVv5glS0hnOrwOX6XqyoCUikQPQdCdvMJy q5eg== X-Gm-Message-State: AOJu0YyR76UJW1oQsuhP6+DgBBDb1whSTVr8lKD63HhUDdavHmHVIM81 HkISml0pm+/H4WfxoDhs8T0ng7r4evTQUVfpFmwo4ZBVj7GEMpBXE+wuQW2iYTN6/ey4sdVgA8o 8T3VmZw== X-Gm-Gg: ASbGncvalJHvD0EajQ9CzvnVUHhDfcKyH1mF3jMIQWw6kYWbNKqkxjVTT9VcqxMoVB/ KaLDY7bHYTjP0blE5gzmAEGQFq3tQRNC1mxr4dGkTMOQQcK5T4q8yl6a4AJCMq4mPboNL1kOIq/ VCpUC5dm0UUt7p8QQ0fGgXwRulZjxf1vW3HOwHTpDXryXeHck8ckQ0sz1DOpNWhqjdvF5FSPoe+ R/zGO4V0qWppuaPaawNVBauNVLaFErokvasO71dmIUFeVfb2EhuxeiQ0KbQ0iDgz5Be0gxXabJz /ti513nOqeIbaLBHcZDGZ29HLUevNyFwrJSdLn7Bk+P4jzU65wjcxVaGeb5zc6CS+w1PdRiYiJ4 WUIWLSX0= X-Google-Smtp-Source: AGHT+IGUoEGuNX8hUUk1fwsCQjgoK8wLtPFqBsBmItldpPJz4QlAMsAT1wPQgZ/DkcUiUD7UIwuI8g== X-Received: by 2002:a05:620a:3186:b0:7c0:a46d:fa82 with SMTP id af79cd13be357-7c0cf954d3dmr1810211785a.42.1740503626882; Tue, 25 Feb 2025 09:13:46 -0800 (PST) Received: from spacenut.dartmouth.edu ([129.170.197.99]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c23c2c5406sm128118985a.57.2025.02.25.09.13.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Feb 2025 09:13:46 -0800 (PST) From: Ben Kallus To: libc-alpha@sourceware.org Cc: dj@redhat.com, adhemerval.zanella@linaro.org, Ben Kallus , Ben Williams Subject: [PATCH] malloc: Improve tcache double-free detection Date: Tue, 25 Feb 2025 12:13:19 -0500 Message-ID: <20250225171319.889661-1-benjamin.p.kallus.gr@dartmouth.edu> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 X-Spam-Status: No, score=-12.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org Chunks in the tcache have a pseudorandom key written into them during tcache_put. This patch adds a check to ensure that the key is still there when that chunk is taken by tcache_get. This provides 2 main benefits: 1. malloc can now often detect when a tcache chunk has been double- freed across 2 threads. (https://pastebin.com/GSaExsQm) 2. In some scenarios, the key will behave like a canary, which should catch some OOB writes and UAFs. (https://pastebin.com/xQbqpb9g) Signed-off-by: Ben Williams Signed-off-by: Ben Kallus --- malloc/malloc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/malloc/malloc.c b/malloc/malloc.c index dcac903e2a..658f3bbfdd 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3184,6 +3184,9 @@ tcache_get_n (size_t tc_idx, tcache_entry **ep) if (__glibc_unlikely (!aligned_OK (e))) malloc_printerr ("malloc(): unaligned tcache chunk detected"); + if (__glibc_unlikely (e->key != tcache_key)) + malloc_printerr ("malloc(): tcache key corrupted"); + if (ep == &(tcache->entries[tc_idx])) *ep = REVEAL_PTR (e->next); else