Add guard pages for TCMalloc metadata |
|||||||
Issue descriptionIt's possible to get the TCMalloc metadata pages allocated inline with normal user-controllable data. This means that a buffer overrun in a properly laid out address space could lead to a generic exploit against TCMalloc. This is even more likely on Unix-based system due to how the allocator is implemented. The easiest solution seems to be just adding a guard page in front of the metadata.
,
Dec 19 2011
Moving bugs marked as Started but not blockers from M17 to M18. Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label. If you're able.
,
Jan 19 2012
,
Jan 20 2012
This made in into M17, nice.
,
Oct 13 2012
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug.
,
Mar 10 2013
,
Mar 13 2013
,
Oct 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/22d691ec9f38a77c7ecbee9363c7f44663824baf commit 22d691ec9f38a77c7ecbee9363c7f44663824baf Author: Gabriel Marin <gmx@chromium.org> Date: Tue Oct 02 21:11:39 2018 tcmalloc: add a guard page in front of metadata allocations Based on original CL: - https://codereview.chromium.org/8570023 Add a guard page in front of metadata allocations. BUG= 104752 Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=112260 Code has been modified to create the guard page inside MetaDataAlloc, once per 8MB chunk. BUG=724399,b:70905156 Change-Id: I527fbfe5e258cc052e205d01bfe2dd30e21b9f13 Reviewed-on: https://chromium-review.googlesource.com/c/1130794 Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: Gabriel Marin <gmx@chromium.org> Cr-Commit-Position: refs/heads/master@{#595983} [modify] https://crrev.com/22d691ec9f38a77c7ecbee9363c7f44663824baf/third_party/tcmalloc/chromium/src/common.cc [modify] https://crrev.com/22d691ec9f38a77c7ecbee9363c7f44663824baf/third_party/tcmalloc/chromium/src/common.h [modify] https://crrev.com/22d691ec9f38a77c7ecbee9363c7f44663824baf/third_party/tcmalloc/chromium/src/system-alloc.cc [modify] https://crrev.com/22d691ec9f38a77c7ecbee9363c7f44663824baf/third_party/tcmalloc/chromium/src/system-alloc.h |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by bugdroid1@chromium.org
, Nov 30 2011The following revision refers to this bug: http://src.chromium.org/viewvc/chrome?view=rev&revision=112260 ------------------------------------------------------------------------ r112260 | jschuh@chromium.org | Wed Nov 30 10:57:03 PST 2011 Changed paths: M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/page_heap_allocator.h?r1=112260&r2=112259&pathrev=112260 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/common.cc?r1=112260&r2=112259&pathrev=112260 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/system-alloc.h?r1=112260&r2=112259&pathrev=112260 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/system-alloc.cc?r1=112260&r2=112259&pathrev=112260 M http://src.chromium.org/viewvc/chrome/trunk/src/third_party/tcmalloc/chromium/src/windows/port.cc?r1=112260&r2=112259&pathrev=112260 Add a guard page in front of metadata allocations. BUG= 104752 Review URL: http://codereview.chromium.org/8570023 ------------------------------------------------------------------------