diff options
author | Florian Weimer <fweimer@redhat.com> | 2017-08-30 16:39:41 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2017-08-30 16:39:41 +0200 |
commit | ec2c1fcefb200c6cb7e09553f3c6af8815013d83 (patch) | |
tree | 6da867b8b565f3d200688016fef68d8de42f9ae1 /manual | |
parent | 9ce673b69e82578044958f66d93dcaddb23f6e95 (diff) | |
download | glibc-ec2c1fcefb200c6cb7e09553f3c6af8815013d83.tar.gz glibc-ec2c1fcefb200c6cb7e09553f3c6af8815013d83.tar.xz glibc-ec2c1fcefb200c6cb7e09553f3c6af8815013d83.zip |
malloc: Abort on heap corruption, without a backtrace [BZ #21754]
The stack trace printing caused deadlocks and has been itself been targeted by code execution exploits.
Diffstat (limited to 'manual')
-rw-r--r-- | manual/memory.texi | 20 | ||||
-rw-r--r-- | manual/tunables.texi | 28 |
2 files changed, 16 insertions, 32 deletions
diff --git a/manual/memory.texi b/manual/memory.texi index 82f473806c..13cce7a750 100644 --- a/manual/memory.texi +++ b/manual/memory.texi @@ -1309,17 +1309,15 @@ The block was already freed. Another possibility to check for and guard against bugs in the use of @code{malloc}, @code{realloc} and @code{free} is to set the environment -variable @code{MALLOC_CHECK_}. When @code{MALLOC_CHECK_} is set, a -special (less efficient) implementation is used which is designed to be -tolerant against simple errors, such as double calls of @code{free} with -the same argument, or overruns of a single byte (off-by-one bugs). Not -all such errors can be protected against, however, and memory leaks can -result. If @code{MALLOC_CHECK_} is set to @code{0}, any detected heap -corruption is silently ignored; if set to @code{1}, a diagnostic is -printed on @code{stderr}; if set to @code{2}, @code{abort} is called -immediately. This can be useful because otherwise a crash may happen -much later, and the true cause for the problem is then very hard to -track down. +variable @code{MALLOC_CHECK_}. When @code{MALLOC_CHECK_} is set to a +non-zero value, a special (less efficient) implementation is used which +is designed to be tolerant against simple errors, such as double calls +of @code{free} with the same argument, or overruns of a single byte +(off-by-one bugs). Not all such errors can be protected against, +however, and memory leaks can result. + +Any detected heap corruption results in immediate termination of the +process. There is one problem with @code{MALLOC_CHECK_}: in SUID or SGID binaries it could possibly be exploited since diverging from the normal programs diff --git a/manual/tunables.texi b/manual/tunables.texi index 3c19567a28..b09e3fe791 100644 --- a/manual/tunables.texi +++ b/manual/tunables.texi @@ -71,27 +71,13 @@ following tunables in the @code{malloc} namespace: This tunable supersedes the @env{MALLOC_CHECK_} environment variable and is identical in features. -Setting this tunable enables a special (less efficient) memory allocator for -the malloc family of functions that is designed to be tolerant against simple -errors such as double calls of free with the same argument, or overruns of a -single byte (off-by-one bugs). Not all such errors can be protected against, -however, and memory leaks can result. The following list describes the values -that this tunable can take and the effect they have on malloc functionality: - -@itemize @bullet -@item @code{0} Ignore all errors. The default allocator continues to be in -use, but all errors are silently ignored. -@item @code{1} Report errors. The alternate allocator is selected and heap -corruption, if detected, is reported as diagnostic messages to @code{stderr} -and the program continues execution. -@item @code{2} Abort on errors. The alternate allocator is selected and if -heap corruption is detected, the program is ended immediately by calling -@code{abort}. -@item @code{3} Fully enabled. The alternate allocator is selected and is fully -functional. That is, if heap corruption is detected, a verbose diagnostic -message is printed to @code{stderr} and the program is ended by calling -@code{abort}. -@end itemize +Setting this tunable to a non-zero value enables a special (less +efficient) memory allocator for the malloc family of functions that is +designed to be tolerant against simple errors such as double calls of +free with the same argument, or overruns of a single byte (off-by-one +bugs). Not all such errors can be protected against, however, and memory +leaks can result. Any detected heap corruption results in immediate +termination of the process. Like @env{MALLOC_CHECK_}, @code{glibc.malloc.check} has a problem in that it diverges from normal program behavior by writing to @code{stderr}, which could |