[PATCH][WIP] Make exploiting talloc harder by using a random talloc_magic

[Simo]

On Thu, 2013-10-17 at 14:34 +1300, Andrew Bartlett wrote:
> This patch is inspired by the exploit in
> http://blog.csnc.ch/wp-content/uploads/2012/07/sambaexploit_v1.0.pdf‎
> and is an idea to see if we can make it harder to exploit talloc.  
> 
> The re-order is designed to put the flags earlier into the talloc_chunk,
> where they would have to be overwritten.
> 
> The only downsides I see so far are:
>  - startup needs to select a better random number
>  - we loose the magic 'different talloc version' detection, it will just
> abort with wrong magic.  However library .so names and symbol versions
> will probably avoid this, now we always build with waf. 
>  - presumably the compiler would have been able to optimise the previous
> talloc version check
> 
> What do folks think, and can I get some help to prove it would disrupts
> these exploits?

Well it may make this specific exploit harder, but if they can't use
talloc() they'll probably find something else.

Ok coming to the code I am not completely positive your change would
prevent the attack in all cases, you move flags on top, but nothing
prevents an optimizing compiler to shuffle them around the structure in
theory.

It is unclear to me why you sprinkle talloc_set_magic() around, why
isn't it sufficient to just call it only from __talloc_with_prefix() ?

You seem to have put it everywhere null_context is tested for non-NULL,
but that is unnecessary, as the null_context is either NULL, or it has
been allocated via __talloc_with_prefix() in
talloc_enable_null_tracking() hence be already called, what am I
missing ?

Simo.