Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Feb 2004 10:18:43 +1100 (EST)
From:      Bruce Evans <bde@zeta.org.au>
To:        Stefan Farfeleder <stefan@fafoe.narf.at>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   Re: grep bug
Message-ID:  <20040210101500.N50462@gamplex.bde.org>
In-Reply-To: <20040209145920.GA623@wombat.fafoe.narf.at>
References:  <20040209023623.GA30071@xor.obsecurity.org> <20040209145920.GA623@wombat.fafoe.narf.at>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 9 Feb 2004, Stefan Farfeleder wrote:

> On Sun, Feb 08, 2004 at 06:36:23PM -0800, Kris Kennaway wrote:
> > kkenn@rot13:~ grep -r foo / > /dev/null
> > grep: /dev/network: Permission denied
> > grep: /dev/geom.ctl: Permission denied
> > grep: /dev/devctl: Permission denied
> > grep: /dev/ata: Permission denied
> > grep: /dev/console: Permission denied
> > grep in realloc(): error: allocation failed
> > ^C^C^CAbort (core dumped)
>
> -current aborts by default on memory allocation failures, you have to
> set the 'a' flag via MALLOC_OPTIONS or /etc/malloc.conf.

I have this turned off in /etc/malloc.conf, but turning it off has been
broken for about a year for user root and group wheel:

%%%
Index: malloc.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdlib/malloc.c,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -2 -r1.72 -r1.73
--- malloc.c	21 Aug 2002 17:11:00 -0000	1.72
+++ malloc.c	23 Jan 2003 21:26:47 -0000	1.73
@@ -10,5 +10,5 @@

 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libc/stdlib/malloc.c,v 1.72 2002/08/21 17:11:00 phk Exp $");
+__FBSDID("$FreeBSD: src/lib/libc/stdlib/malloc.c,v 1.73 2003/01/23 21:26:47 phk Exp $");

 /*
@@ -465,4 +465,11 @@
 	}
     }
+
+    /*
+     * Sensitive processes, somewhat arbitrarily defined here as setuid,
+     * setgid, root and wheel cannot afford to have malloc mistakes.
+     */
+    if (issetugid() || getuid() == 0 || getgid() == 0)
+	    malloc_abort = 1;

     UTRACE(0, 0, 0);
%%%

This code is executed after parsing MALLOC_OPTIONS etc., so there is no
way to override it.

Bruce

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040210101500.N50462>