From 22188b764c8bfd883d5066fed39573c5fed7e3f3 Mon Sep 17 00:00:00 2001 From: brooks Date: Sat, 14 Oct 2017 16:49:39 +0000 Subject: [PATCH] MFC r324243: Remove an unneeded and incorrect memset(). On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv) the __libc_allocate_tls function allocates thread local storage memory with calloc(). It then copies initialization data over the portions with non-zero initial values. Before this change it would then pointlessly zero the already zeroed remainder of the storage. Unfortunately the calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *)) additional bytes. In practice, this overflow only matters if the TLS segment is sized such that calloc() allocates less than TLS_TCB_SIZE extra memory. Even then, the likely result will be zeroing part of the next bucket. This coupled with the impact being confined to Tier II platforms means there will be no security advisory for this issue. Reviewed by: kib, dfr Discussed with: security-officer (delphij) Found by: CHERI Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D12547 git-svn-id: svn://svn.freebsd.org/base/stable/10@324617 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- lib/libc/gen/tls.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/libc/gen/tls.c b/lib/libc/gen/tls.c index 8ac404009..2bf388977 100644 --- a/lib/libc/gen/tls.c +++ b/lib/libc/gen/tls.c @@ -161,9 +161,6 @@ __libc_allocate_tls(void *oldtcb, size_t tcbsize, size_t tcbalign __unused) if (tls_init_size > 0) memcpy((void*)dtv[2], tls_init, tls_init_size); - if (tls_static_space > tls_init_size) - memset((void*)(dtv[2] + tls_init_size), 0, - tls_static_space - tls_init_size); } return(tcb); -- 2.42.0