The meaning of the TDB magic string?
Jeremy Allison
jra at samba.org
Sat Jan 30 22:51:53 UTC 2016
On Sat, Jan 30, 2016 at 01:41:47PM -0800, Richard Sharpe wrote:
> Hi folks,
>
> I am trying to track down some memory usage issues.
>
> I notice this string in a lot of places in memory:
>
> 0xe8150c7[3|b|f]
>
> This looks like the TDB magic string but the last four bits change and they
> seem to be flags.
>
> What do they mean?
Might it be from the code that does talloc magic
randomication to protect against overflow ?
#define TALLOC_MAGIC_BASE 0xe814ec70
static unsigned int talloc_magic = (
TALLOC_MAGIC_BASE +
(TALLOC_VERSION_MAJOR << 12) +
(TALLOC_VERSION_MINOR << 4));
...
ifdef HAVE_CONSTRUCTOR_ATTRIBUTE
void talloc_lib_init(void) __attribute__((constructor));
void talloc_lib_init(void)
{
uint32_t random_value;
#if defined(HAVE_GETAUXVAL) && defined(AT_RANDOM)
uint8_t *p;
/*
* Use the kernel-provided random values used for
* ASLR. This won't change per-exec, which is ideal for us
*/
p = (uint8_t *) getauxval(AT_RANDOM);
if (p) {
/*
* We get 16 bytes from getauxval. By calling rand(),
* a totally insecure PRNG, but one that will
* deterministically have a different value when called
* twice, we ensure that if two talloc-like libraries
* are somehow loaded in the same address space, that
* because we choose different bytes, we will keep the
* protection against collision of multiple talloc
* libs.
*
* This protection is important because the effects of
* passing a talloc pointer from one to the other may
* be very hard to determine.
*/
int offset = rand() % (16 - sizeof(random_value));
memcpy(&random_value, p + offset, sizeof(random_value));
} else
#endif
{
/*
* Otherwise, hope the location we are loaded in
* memory is randomised by someone else
*/
random_value = ((uintptr_t)talloc_lib_init & 0xFFFFFFFF);
}
talloc_magic = random_value & ~TALLOC_FLAG_MASK;
}
More information about the samba-technical
mailing list