From owner-svn-src-stable@freebsd.org Sat Oct 14 16:23:26 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAA15E4A79E; Sat, 14 Oct 2017 16:23:26 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 70B8174654; Sat, 14 Oct 2017 16:23:26 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v9EGNPZ3092792; Sat, 14 Oct 2017 16:23:25 GMT (envelope-from brooks@FreeBSD.org) Received: (from brooks@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v9EGNPDK092791; Sat, 14 Oct 2017 16:23:25 GMT (envelope-from brooks@FreeBSD.org) Message-Id: <201710141623.v9EGNPDK092791@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brooks set sender to brooks@FreeBSD.org using -f From: Brooks Davis Date: Sat, 14 Oct 2017 16:23:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r324616 - stable/11/lib/libc/gen X-SVN-Group: stable-11 X-SVN-Commit-Author: brooks X-SVN-Commit-Paths: stable/11/lib/libc/gen X-SVN-Commit-Revision: 324616 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2017 16:23:26 -0000 Author: brooks Date: Sat Oct 14 16:23:25 2017 New Revision: 324616 URL: https://svnweb.freebsd.org/changeset/base/324616 Log: MFC r324243: Remove an unneeded and incorrect memset(). On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv) the __libc_allocate_tls function allocates thread local storage memory with calloc(). It then copies initialization data over the portions with non-zero initial values. Before this change it would then pointlessly zero the already zeroed remainder of the storage. Unfortunately the calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *)) additional bytes. In practice, this overflow only matters if the TLS segment is sized such that calloc() allocates less than TLS_TCB_SIZE extra memory. Even then, the likely result will be zeroing part of the next bucket. This coupled with the impact being confined to Tier II platforms means there will be no security advisory for this issue. Reviewed by: kib, dfr Discussed with: security-officer (delphij) Found by: CHERI Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D12547 Modified: stable/11/lib/libc/gen/tls.c Directory Properties: stable/11/ (props changed) Modified: stable/11/lib/libc/gen/tls.c ============================================================================== --- stable/11/lib/libc/gen/tls.c Sat Oct 14 10:02:59 2017 (r324615) +++ stable/11/lib/libc/gen/tls.c Sat Oct 14 16:23:25 2017 (r324616) @@ -160,9 +160,6 @@ __libc_allocate_tls(void *oldtcb, size_t tcbsize, size if (tls_init_size > 0) memcpy((void*)dtv[2], tls_init, tls_init_size); - if (tls_static_space > tls_init_size) - memset((void*)(dtv[2] + tls_init_size), 0, - tls_static_space - tls_init_size); } return(tcb);