104752 - Add guard pages for TCMalloc metadata - chromium

	Project: chromium ▼ Issues People Development process History	Sign in

Add guard pages for TCMalloc metadata

Starred by 4 users

Project Member Reported by jsc...@chromium.org, Nov 18 2011

Status:	Fixed
Owner:	jsc...@chromium.org
Closed:	Jan 2012
Cc:	█ jar@chromium.org
Components:	Internals Security
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	2
Type:	Bug
MovedFrom-17 Restrict-AddIssueComment-EditIssue M-17

Restricted

Only users with EditIssue permission may comment.

It's possible to get the TCMalloc metadata pages allocated inline with normal user-controllable data. This means that a buffer overrun in a properly laid out address space could lead to a generic exploit against TCMalloc. This is even more likely on Unix-based system due to how the allocator is implemented. The easiest solution seems to be just adding a guard page in front of the metadata.

Project Member Comment 1 by bugdroid1@chromium.org, Nov 30 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=112260

------------------------------------------------------------------------
r112260 | jschuh@chromium.org | Wed Nov 30 10:57:03 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/page_heap_allocator.h?r1=112260&r2=112259&pathrev=112260
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/common.cc?r1=112260&r2=112259&pathrev=112260
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/system-alloc.h?r1=112260&r2=112259&pathrev=112260
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/system-alloc.cc?r1=112260&r2=112259&pathrev=112260
 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/windows/port.cc?r1=112260&r2=112259&pathrev=112260

Add a guard page in front of metadata allocations.

BUG= 104752 



Review URL: http://codereview.chromium.org/8570023
------------------------------------------------------------------------

Comment 2 by k...@google.com, Dec 19 2011

Labels: -Mstone-17 Mstone-18 MovedFrom-17

Moving bugs marked as Started but not blockers from M17 to M18.  Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label.  If you're able.

Comment 3 by jsc...@chromium.org, Jan 19 2012

Status: Fixed

Comment 4 by scarybea...@gmail.com, Jan 20 2012

Labels: -Mstone-18 Mstone-17

This made in into M17, nice.

Project Member Comment 5 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit

This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Project Member Comment 6 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Feature-Security -Mstone-17 Cr-Security Cr-Internals M-17

Project Member Comment 7 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

► Sign in to add a comment