New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Add guard pages for TCMalloc metadata

Project Member Reported by jsc...@chromium.org, Nov 18 2011 Back to list

Issue description

It's possible to get the TCMalloc metadata pages allocated inline with normal user-controllable data. This means that a buffer overrun in a properly laid out address space could lead to a generic exploit against TCMalloc. This is even more likely on Unix-based system due to how the allocator is implemented. The easiest solution seems to be just adding a guard page in front of the metadata.
 

Comment 2 by k...@google.com, Dec 19 2011

Labels: -Mstone-17 Mstone-18 MovedFrom-17
Moving bugs marked as Started but not blockers from M17 to M18.  Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label.  If you're able.

Comment 3 by jsc...@chromium.org, Jan 19 2012

Status: Fixed
Labels: -Mstone-18 Mstone-17
This made in into M17, nice.
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Area-Internals -Feature-Security -Mstone-17 Cr-Security Cr-Internals M-17
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue

Sign in to add a comment