Page MenuHomeFreeBSD

Remove an unneeded and incorrect memset().
ClosedPublic

Authored by brooks on Sep 29 2017, 8:59 PM.

Details

Summary

On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv)
the __libc_allocate_tls function allocates thread local storage memory
with calloc(). It then copies initialization data over the portions with
non-zero initial values. Before this change it would then pointlessly
zero the already zeroed remainder of the storage. Unfortunately the
calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *))
additional bytes.

In practice, this overflow only matters if the TLS segment is sized such
that calloc() allocates a less than TLS_TCB_SIZE extra memory. Even
then, the likely result will be zeroing part of the next bucket. This
coupled with the impact being confined to Tier II platforms means there
will be no security advisory for this issue.

Found using: CHERI
Sponsored by: DARPA, AFRL
MFC After: 1 week

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brooks created this revision.Sep 29 2017, 8:59 PM
kib accepted this revision.Sep 30 2017, 7:57 AM
This revision is now accepted and ready to land.Sep 30 2017, 7:57 AM
dfr accepted this revision.Sep 30 2017, 9:31 AM

Looks good to me.

This revision was automatically updated to reflect the committed changes.