From: Florian Weimer <fweimer@redhat.com>
To: Vinay Kumar <vinay.m.engg@gmail.com>
Cc: libc-alpha@sourceware.org, carlos@redhat.com
Subject: Re: Thread stack and heap caches - CVE-2019-1010024
Date: Mon, 25 Nov 2019 19:10:21 +0100 [thread overview]
Message-ID: <87h82rg73m.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <CANUMPcXr+asjC32M1qENUEkBvNj4SGsvE6jNNwsV55H5EhkRiw@mail.gmail.com> (Vinay Kumar's message of "Mon, 4 Nov 2019 16:39:58 +0530")
* Vinay Kumar:
> Hi,
>
> Regarding bug related to Thread stack and heap caches (CVE-2019-1010024).
> https://sourceware.org/bugzilla/show_bug.cgi?id=22852
>
>>> One way to harden is to use a tunable for a thread stack cache, and set that to zero.
> Below change in glibc allocatestack.c file gives the expected output
> with test case. Verified on x86_64 target.
> =======================================================
> --- a/nptl/allocatestack.c
> +++ b/nptl/allocatestack.c
> @@ -186,6 +186,7 @@ get_cached_stack (size_t *sizep, void **memp)
> struct pthread *curr;
>
> curr = list_entry (entry, struct pthread, list);
> + curr->stackblock_size = 0;
> if (FREE_P (curr) && curr->stackblock_size >= size)
> {
> if (curr->stackblock_size == size)
> =======================================================
This will just cause crashes (abort in free_statcks).
I tried to emulate the effect with this program:
#include <err.h>
#include <errno.h>
#include <pthread.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
static void *
thread (void *closure)
{
uintptr_t *pp = closure;
*pp = (uintptr_t) &pp;
return NULL;
}
int
main (void)
{
pthread_attr_t attr;
int ret = pthread_attr_init (&attr);
if (ret != 0)
{
errno = ret;
err (1, "pthread_attr_init");
}
ret = pthread_attr_setstacksize (&attr, 128 * 1024 * 1024);
if (ret != 0)
{
errno = ret;
err (1, "pthread_attr_setstacksize");
}
for (int i = 0; i < 20; ++i)
{
pthread_t thr;
uintptr_t ptr;
ret = pthread_create (&thr, &attr, thread, &ptr);
if (ret != 0)
{
errno = ret;
err (1, "pthread_create");
}
ret = pthread_join (thr, NULL);
if (ret != 0)
{
errno = ret;
err (1, "pthread_join");
}
printf ("%p\n", (void *) ptr);
}
}
Its stack size is so large that the stack is never cached. If you run
it with strace, you will see that mmap and munmap is called for each
iteration.
As I suspected, it prints the same address again and again because the
kernel does NOT randomize mappings. Until that happens, there is not
much value in disabling the stack cache.
Thanks,
Florian
next prev parent reply other threads:[~2019-11-25 18:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 11:09 Thread stack and heap caches - CVE-2019-1010024 Vinay Kumar
2019-11-04 12:25 ` Florian Weimer
2019-11-11 10:56 ` Vinay Kumar
2019-11-25 16:43 ` Vinay Kumar
2019-11-25 18:10 ` Florian Weimer [this message]
2019-11-25 18:29 ` Vinay Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h82rg73m.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=carlos@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=vinay.m.engg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).