[PATCH] Do not leave random talloc magic in free()'ed memory

[Stefan Metzmacher]

Hi Andrew,

I saw these patches in your current autobuild.

I tried to pick them for 4.8.0 (including talloc-2.1.11),
but it failed locally with:

[2(1)/2 at 0s] samba4.local.talloc
talloc: access after free error - first free may be at
../lib/talloc/talloc.c:1978_talloc_realloc
Bad talloc magic value - access after free
UNEXPECTED(error): samba4.local.talloc.magic_free_protection(none)
REASON: Exception: Exception: Test was never started
UNEXPECTED(error): samba4.local.talloc.magic_protection(none)
(samba.subunit.RemotedTestCase)
REASON: was started but never finished!
UNEXPECTED(error): samba4.local.talloc.talloc(none)
(samba.subunit.RemotedTestCase)
REASON: was started but never finished!

I don't think we need this for 4.8.0rc1.

metze

Am 08.01.2018 um 05:38 schrieb Andrew Bartlett via samba-technical:
> On Thu, 2017-12-21 at 20:13 +1300, Andrew Bartlett via samba-technical
> wrote:
>> G'Day,
>>
>> I've been thinking about ways that our talloc magic protection might be
>> avoided and reading the magic from memory that has recently been
>> free()ed would be a good attack.
>>
>> So this patch marks this memory with a fixed magic.  All valid use of
>> memory still uses the random magic.
>>
>> This passed a full autobuild.
>>
>> Please carefully review!  
>>
>> On my re-look it might need to tweak talloc_chunk_from_ptr() a little
>> (when other flags could be set), but I would like other thoughts too!
> 
> Attached is a revised set of patches, which removes the
> talloc_abort_magic() branch as I can't see how it is usefully
> triggered. 
> 
> Clearly this needs very careful review.
> 
> Andrew Bartlett
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180112/5235de57/signature.sig>