This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: use-after-free / double-free exploit mitigation

From: Federico Manuel Bento <up201407890 at fc dot up dot pt>
To: fweimer at redhat dot com, msebor at redhat dot com
Cc: libc-alpha at sourceware dot org
Date: Sat, 09 Sep 2017 18:59:00 +0100
Subject: Re: use-after-free / double-free exploit mitigation
Authentication-results: sourceware.org; auth=none

On 09/06/2017 02:46 PM, up201407890@alunos.dcc.fc.up.pt wrote:
What are your thoughts on adding a SAFE_FREE() macro to glibc:

#define SAFE_FREE(x) do { if((x) != 0x0) { free(x); (x) = (void*)0x1; }
} while(0)

After free(x), we set x to an address that will crash whendereferenced(use-after-free), and will also crash when it's an argument tofree().Note that NULL isn't used, because free(NULL) does nothing, whichmight
hide potential double-free bugs.

Maybe GCC should optionally do this for the actual call to free. There
is some debate to what extend pointer *values* remain valid afterfree.
Martin Sebor may have some thought on that.

In any case, some GCC assistance is needed so that

free (some_struct->ptr);
free (some_struct);

actually clobbers some_struct->ptr. I don't think we want to call out
to explicit_bzero here.

One of the advantages of doing this in the compiler (besides not
having to change source code) is distinguishing rvalues from lvalues.

Martin


Perhaps this sould be used when making use of FORTIFY_SOURCE?

Federico.

Follow-Ups:
- Re: use-after-free / double-free exploit mitigation
  - From: Martin Sebor

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]