[PATCH] Do not leave random talloc magic in free()'ed memory, fix abort message

Andrew Bartlett abartlet at samba.org
Thu Jan 11 22:31:18 UTC 2018


On Thu, 2017-12-21 at 20:13 +1300, Andrew Bartlett via samba-technical
wrote:
> G'Day,
> 
> I've been thinking about ways that our talloc magic protection might be
> avoided and reading the magic from memory that has recently been
> free()ed would be a good attack.
> 
> So this patch marks this memory with a fixed magic.  All valid use of
> memory still uses the random magic.
> 
> This passed a full autobuild.
> 
> Please carefully review!  
> 
> On my re-look it might need to tweak talloc_chunk_from_ptr() a little
> (when other flags could be set), but I would like other thoughts too!

Attached is two patches, one which shows that the magic detection logic
was wrong, and the new no-disclosure stuff. 

I think this is now ready.  Please review!

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
From 689b11e15840ad2e36048cbc3026ca1fd7c4b19c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 8 Jan 2018 17:29:19 +1300
Subject: [PATCH 1/3] talloc: Remove talloc_abort_magic()

The check required for talloc_abort_magic() prevents the 'access after free error'
from being printed.

It is also no longer possible to determine the difference between invalid memory
and a talloc version mismatch as the magic is now random on many platforms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 lib/talloc/talloc.c | 20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 7721fa4a9c6..3569ba75929 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -429,11 +429,6 @@ static void talloc_abort(const char *reason)
 	talloc_abort_fn(reason);
 }
 
-static void talloc_abort_magic(unsigned magic)
-{
-	talloc_abort("Bad talloc magic value - wrong talloc version used/mixed");
-}
-
 static void talloc_abort_access_after_free(void)
 {
 	talloc_abort("Bad talloc magic value - access after free");
@@ -450,19 +445,14 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
 	const char *pp = (const char *)ptr;
 	struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
 	if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) {
-		if ((tc->flags & (~TALLOC_FLAG_MASK)) == talloc_magic) {
-			talloc_abort_magic(tc->flags & (~TALLOC_FLAG_MASK));
-			return NULL;
-		}
-
-		if (tc->flags & TALLOC_FLAG_FREE) {
-			talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
-			talloc_abort_access_after_free();
-			return NULL;
-		} else {
+		if ((tc->flags & (~TALLOC_FLAG_MASK)) != talloc_magic) {
 			talloc_abort_unknown_value();
 			return NULL;
 		}
+
+		talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
+		talloc_abort_access_after_free();
+		return NULL;
 	}
 	return tc;
 }
-- 
2.11.0


From dafbed2f7a01818c5aeb796fd2e251745c5f1fb6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Fri, 12 Jan 2018 11:17:09 +1300
Subject: [PATCH 2/3] talloc: Add tests to require use-after-free to give the
 correct talloc_abort() string

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 lib/talloc/testsuite.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c
index dfaeec1d1d9..92081b5fdd8 100644
--- a/lib/talloc/testsuite.c
+++ b/lib/talloc/testsuite.c
@@ -2006,6 +2006,72 @@ static bool test_magic_protection(void)
 	return true;
 }
 
+static void test_magic_free_protection_abort(const char *reason)
+{
+	/* exit with errcode 42 to communicate successful test to the parent process */
+	if (strcmp(reason, "Bad talloc magic value - access after free") == 0) {
+		_exit(42);
+	}
+	/* not 42 */
+	_exit(404);
+}
+
+static bool test_magic_free_protection(void)
+{
+	void *pool = talloc_pool(NULL, 1024);
+	int *p1, *p2, *p3;
+	pid_t pid;
+	int exit_status;
+
+	printf("test: magic_protection\n");
+	p1 = talloc(pool, int);
+	p2 = talloc(pool, int);
+
+	/* To avoid complaints from the compiler assign values to the p1 & p2. */
+	*p1 = 6;
+	*p2 = 9;
+	
+	p3 = talloc_realloc(pool, p2, int, 2048);
+	torture_assert("pool realloc 2048",
+		       p3 != p2,
+		       "failed: pointer not changed");
+
+	/* 
+	 * Now access the memory in the pool after the realloc().  It
+	 * should be marked as free, so use of the old pointer should
+	 * trigger the abort function
+	 */
+	pid = fork();
+	if (pid == 0) {
+		talloc_set_abort_fn(test_magic_free_protection_abort);
+
+		talloc_get_name(p2);
+
+		/* Never reached. Make compilers happy */
+		return true;
+	}
+
+	while (wait(&exit_status) != pid);
+
+	if (!WIFEXITED(exit_status)) {
+		printf("Child exited through unexpected abnormal means\n");
+		return false;
+	}
+	if (WEXITSTATUS(exit_status) != 42) {
+		printf("Child exited with wrong exit status\n");
+		return false;
+	}
+	if (WIFSIGNALED(exit_status)) {
+		printf("Child recieved unexpected signal\n");
+		return false;
+	}
+
+	talloc_free(pool);
+	
+	printf("success: magic_free_protection\n");
+	return true;
+}
+
 static void test_reset(void)
 {
 	talloc_set_log_fn(test_log_stdout);
@@ -2092,6 +2158,8 @@ bool torture_local_talloc(struct torture_context *tctx)
 	ret &= test_autofree();
 	test_reset();
 	ret &= test_magic_protection();
+	test_reset();
+	ret &= test_magic_free_protection();
 
 	test_reset();
 	talloc_disable_null_tracking();
-- 
2.11.0


From 01903cac2f1ffd3f5699ca8a223ee31166253991 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 8 Jan 2018 17:34:31 +1300
Subject: [PATCH 3/3] talloc: Do not disclose the random talloc magic in
 free()'ed memory

This may help us avoid exploits via memory read attacks on Samba by ensuring that if the read
is on an invalid chunk that the talloc magic disclosed there is not useful
to create a valid chunk and so set a destructor.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13211

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
 lib/talloc/talloc.c | 121 ++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 90 insertions(+), 31 deletions(-)

diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 3569ba75929..b6f81df73dc 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -75,12 +75,13 @@
 #define TALLOC_MAGIC_REFERENCE ((const char *)1)
 
 #define TALLOC_MAGIC_BASE 0xe814ec70
-static unsigned int talloc_magic = (
-	~TALLOC_FLAG_MASK & (
-		TALLOC_MAGIC_BASE +
-		(TALLOC_BUILD_VERSION_MAJOR << 24) +
-		(TALLOC_BUILD_VERSION_MINOR << 16) +
-		(TALLOC_BUILD_VERSION_RELEASE << 8)));
+#define TALLOC_MAGIC_NON_RANDOM ( \
+	~TALLOC_FLAG_MASK & ( \
+		TALLOC_MAGIC_BASE + \
+		(TALLOC_BUILD_VERSION_MAJOR << 24) + \
+		(TALLOC_BUILD_VERSION_MINOR << 16) + \
+		(TALLOC_BUILD_VERSION_RELEASE << 8)))
+static unsigned int talloc_magic = TALLOC_MAGIC_NON_RANDOM;
 
 /* by default we abort when given a bad pointer (such as when talloc_free() is called
    on a pointer that came from malloc() */
@@ -332,6 +333,48 @@ _PUBLIC_ int talloc_test_get_magic(void)
 	return talloc_magic;
 }
 
+static inline void _talloc_chunk_set_free(struct talloc_chunk *tc,
+			      const char *location)
+{
+	/*
+	 * Mark this memory as free, and also over-stamp the talloc
+	 * magic with the old-style magic.
+	 *
+	 * Why?  This tries to avoid a memory read use-after-free from
+	 * disclosing our talloc magic, which would then allow an
+	 * attacker to prepare a valid header and so run a destructor.
+	 *
+	 */
+	tc->flags = TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE
+		| (tc->flags & TALLOC_FLAG_MASK);
+
+	/* we mark the freed memory with where we called the free
+	 * from. This means on a double free error we can report where
+	 * the first free came from
+	 */
+	if (location) {
+		tc->name = location;
+	}
+}
+
+static inline void _talloc_chunk_set_not_free(struct talloc_chunk *tc)
+{
+	/*
+	 * Mark this memory as not free.
+	 *
+	 * Why? This is memory either in a pool (and so available for
+	 * talloc's re-use or after the realloc().  We need to mark
+	 * the memory as free() before any realloc() call as we can't
+	 * write to the memory after that.
+	 *
+	 * We put back the normal magic instead of the 'not random'
+	 * magic.
+	 */
+
+	tc->flags = talloc_magic |
+		((tc->flags & TALLOC_FLAG_MASK) & ~TALLOC_FLAG_FREE);
+}
+
 static void (*talloc_log_fn)(const char *message);
 
 _PUBLIC_ void talloc_set_log_fn(void (*log_fn)(const char *message))
@@ -444,14 +487,16 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
 {
 	const char *pp = (const char *)ptr;
 	struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
-	if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) {
-		if ((tc->flags & (~TALLOC_FLAG_MASK)) != talloc_magic) {
-			talloc_abort_unknown_value();
+	if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK))
+		     != talloc_magic)) {
+		if ((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK))
+		    == (TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE)) {
+			talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
+			talloc_abort_access_after_free();
 			return NULL;
 		}
 
-		talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
-		talloc_abort_access_after_free();
+		talloc_abort_unknown_value();
 		return NULL;
 	}
 	return tc;
@@ -937,13 +982,7 @@ static inline void _tc_free_poolmem(struct talloc_chunk *tc,
 	pool_tc = talloc_chunk_from_pool(pool);
 	next_tc = tc_next_chunk(tc);
 
-	tc->flags |= TALLOC_FLAG_FREE;
-
-	/* we mark the freed memory with where we called the free
-	 * from. This means on a double free error we can report where
-	 * the first free came from
-	 */
-	tc->name = location;
+	_talloc_chunk_set_free(tc, location);
 
 	TC_INVALIDATE_FULL_CHUNK(tc);
 
@@ -1093,13 +1132,7 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,
 
 	_tc_free_children_internal(tc, ptr, location);
 
-	tc->flags |= TALLOC_FLAG_FREE;
-
-	/* we mark the freed memory with where we called the free
-	 * from. This means on a double free error we can report where
-	 * the first free came from
-	 */
-	tc->name = location;
+	_talloc_chunk_set_free(tc, location);
 
 	if (tc->flags & TALLOC_FLAG_POOL) {
 		struct talloc_pool_hdr *pool;
@@ -1796,8 +1829,22 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
 	}
 #endif
 
-	/* by resetting magic we catch users of the old memory */
-	tc->flags |= TALLOC_FLAG_FREE;
+	/*
+	 * by resetting magic we catch users of the old memory
+	 *
+	 * We mark this memory as free, and also over-stamp the talloc
+	 * magic with the old-style magic.
+	 *
+	 * Why?  This tries to avoid a memory read use-after-free from
+	 * disclosing our talloc magic, which would then allow an
+	 * attacker to prepare a valid header and so run a destructor.
+	 *
+	 * What else?  We have to re-stamp back a valid normal magic
+	 * on this memory once realloc() is done, as it will have done
+	 * a memcpy() into the new valid memory.  We can't do this in
+	 * reverse as that would be a real use-after-free.
+	 */
+	_talloc_chunk_set_free(tc, NULL);
 
 #if ALWAYS_REALLOC
 	if (pool_hdr) {
@@ -1896,7 +1943,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
 
 		if (new_chunk_size == old_chunk_size) {
 			TC_UNDEFINE_GROW_CHUNK(tc, size);
-			tc->flags &= ~TALLOC_FLAG_FREE;
+			_talloc_chunk_set_not_free(tc);
 			tc->size = size;
 			return ptr;
 		}
@@ -1911,7 +1958,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
 
 			if (space_left >= space_needed) {
 				TC_UNDEFINE_GROW_CHUNK(tc, size);
-				tc->flags &= ~TALLOC_FLAG_FREE;
+				_talloc_chunk_set_not_free(tc);
 				tc->size = size;
 				pool_hdr->end = tc_next_chunk(tc);
 				return ptr;
@@ -1941,12 +1988,24 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
 got_new_ptr:
 #endif
 	if (unlikely(!new_ptr)) {
-		tc->flags &= ~TALLOC_FLAG_FREE;
+		/*
+		 * Ok, this is a strange spot.  We have to put back
+		 * the old talloc_magic and any flags, except the
+		 * TALLOC_FLAG_FREE as this was not free'ed by the
+		 * realloc() call after all
+		 */
+		_talloc_chunk_set_not_free(tc);
 		return NULL;
 	}
 
+	/*
+	 * tc is now the new value from realloc(), the old memory we
+	 * can't access any more and was preemptively marked as
+	 * TALLOC_FLAG_FREE before the call.  Now we mark it as not
+	 * free again
+	 */
 	tc = (struct talloc_chunk *)new_ptr;
-	tc->flags &= ~TALLOC_FLAG_FREE;
+	_talloc_chunk_set_not_free(tc);
 	if (malloced) {
 		tc->flags &= ~TALLOC_FLAG_POOLMEM;
 	}
-- 
2.11.0



More information about the samba-technical mailing list