From owner-svn-src-head@freebsd.org Tue Oct 3 22:57:20 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52DADE278DE; Tue, 3 Oct 2017 22:57:20 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 20C99680F2; Tue, 3 Oct 2017 22:57:20 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v93MvJrH085831; Tue, 3 Oct 2017 22:57:19 GMT (envelope-from brooks@FreeBSD.org) Received: (from brooks@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v93MvJTI085830; Tue, 3 Oct 2017 22:57:19 GMT (envelope-from brooks@FreeBSD.org) Message-Id: <201710032257.v93MvJTI085830@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brooks set sender to brooks@FreeBSD.org using -f From: Brooks Davis Date: Tue, 3 Oct 2017 22:57:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r324243 - head/lib/libc/gen X-SVN-Group: head X-SVN-Commit-Author: brooks X-SVN-Commit-Paths: head/lib/libc/gen X-SVN-Commit-Revision: 324243 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2017 22:57:20 -0000 Author: brooks Date: Tue Oct 3 22:57:19 2017 New Revision: 324243 URL: https://svnweb.freebsd.org/changeset/base/324243 Log: Remove an unneeded and incorrect memset(). On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv) the __libc_allocate_tls function allocates thread local storage memory with calloc(). It then copies initialization data over the portions with non-zero initial values. Before this change it would then pointlessly zero the already zeroed remainder of the storage. Unfortunately the calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *)) additional bytes. In practice, this overflow only matters if the TLS segment is sized such that calloc() allocates a less than TLS_TCB_SIZE extra memory. Even then, the likely result will be zeroing part of the next bucket. This coupled with the impact being confined to Tier II platforms means there will be no security advisory for this issue. Reviewed by: kib, dfr Discussed with: security-officer (delphij) MFC after: 1 week Found by: CHERI Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D12547 Modified: head/lib/libc/gen/tls.c Modified: head/lib/libc/gen/tls.c ============================================================================== --- head/lib/libc/gen/tls.c Tue Oct 3 19:08:16 2017 (r324242) +++ head/lib/libc/gen/tls.c Tue Oct 3 22:57:19 2017 (r324243) @@ -160,9 +160,6 @@ __libc_allocate_tls(void *oldtcb, size_t tcbsize, size if (tls_init_size > 0) memcpy((void*)dtv[2], tls_init, tls_init_size); - if (tls_static_space > tls_init_size) - memset((void*)(dtv[2] + tls_init_size), 0, - tls_static_space - tls_init_size); } return(tcb);