diff options
author | Simon Kissane <skissane@gmail.com> | 2023-02-11 08:58:02 +1100 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2023-04-28 13:48:40 +0200 |
commit | ff3a71ec1fc02757b38c9c3209118d14dd10c7b6 (patch) | |
tree | 8887f2fc49bd44229c57f8c8d587180487b6ddca /NEWS | |
parent | d230623264e300ac1c827cb83ad7818f122a6a98 (diff) | |
download | glibc-ff3a71ec1fc02757b38c9c3209118d14dd10c7b6.tar.gz glibc-ff3a71ec1fc02757b38c9c3209118d14dd10c7b6.tar.xz glibc-ff3a71ec1fc02757b38c9c3209118d14dd10c7b6.zip |
gmon: fix memory corruption issues [BZ# 30101]
V2 of this patch fixes an issue in V1, where the state was changed to ON not OFF at end of _mcleanup. I hadn't noticed that (counterintuitively) ON=0 and OFF=3, hence zeroing the buffer turned it back on. So set the state to OFF after the memset. 1. Prevent double free, and reads from unallocated memory, when _mcleanup is (incorrectly) called two or more times in a row, without an intervening call to __monstartup; with this patch, the second and subsequent calls effectively become no-ops instead. While setting tos=NULL is minimal fix, safest action is to zero the whole gmonparam buffer. 2. Prevent memory leak when __monstartup is (incorrectly) called two or more times in a row, without an intervening call to _mcleanup; with this patch, the second and subsequent calls effectively become no-ops instead. 3. After _mcleanup, treat __moncontrol(1) as __moncontrol(0) instead. With zeroing of gmonparam buffer in _mcleanup, this stops the state incorrectly being changed to GMON_PROF_ON despite profiling actually being off. If we'd just done the minimal fix to _mcleanup of setting tos=NULL, there is risk of far worse memory corruption: kcount would point to deallocated memory, and the __profil syscall would make the kernel write profiling data into that memory, which could have since been reallocated to something unrelated. 4. Ensure __moncontrol(0) still turns off profiling even in error state. Otherwise, if mcount overflows and sets state to GMON_PROF_ERROR, when _mcleanup calls __moncontrol(0), the __profil syscall to disable profiling will not be invoked. _mcleanup will free the buffer, but the kernel will still be writing profiling data into it, potentially corrupted arbitrary memory. Also adds a test case for (1). Issues (2)-(4) are not feasible to test. Signed-off-by: Simon Kissane <skissane@gmail.com> Reviewed-by: DJ Delorie <dj@redhat.com> (cherry picked from commit bde121872001d8f3224eeafa5b7effb871c3fbca)
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/NEWS b/NEWS index cc9f292ad8..343719044a 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,7 @@ The following bugs are resolved with this release: [27576] gmon: improve mcount overflow handling [29444] gmon: Fix allocated buffer overflow (bug 29444) [30053] time: strftime %s returns -1 after 2038 on 32 bits systems + [30101] gmon: fix memory corruption issues [30125] dynamic-link: [regression, bisected] glibc-2.37 creates new symlink for libraries without soname [30151] gshadow: Matching sgetsgent, sgetsgent_r ERANGE handling |