bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: critique of gnulib - malloc wrapper


From: Bruno Haible
Subject: Re: critique of gnulib - malloc wrapper
Date: Sun, 08 Sep 2019 19:28:03 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-159-generic; KDE/5.18.0; x86_64; ; )

Jonas Termansen wrote:
> I object to the attitude that code analysis tools should only really be
> supported on glibc systems. A lot of security features are being
> pioneered on other systems and making it easier for everyone to use
> these tools benefits everyone
> 
> "Exploit mitigation counter-measures" is whenever a system has an
> exploit mitigation and software goes out of its way to not take benefit.
> A good example is the 2014 Heartbleed vulnerability where there was a
> good old buffer overflow. OpenSSL was wrapping malloc with its own
> allocation layer, which made use-after-free bugs worse and did not
> support zeroing freed allocations. That meant that systems with a
> hardened malloc (an exploit mitigation) such as OpenBSD, which would
> have reduced the data leakage a lot, did not benefit from the exploit
> mitigation. ...

The gnulib malloc wrapper is not an as severe problem as you might think.
It is only enabled
  - on AIX, because malloc(0) -> NULL on this platform,
  - on native Windows, because malloc does not errno upon failure,
  - in cross-compiles - a problem for which we are searching a solution.

When you say "A lot of security features are being pioneered on other systems",
these are mostly BSD and research OSes, not AIX nor native Windows.

Bruno




reply via email to

[Prev in Thread] Current Thread [Next in Thread]