standard error handling for malloc() broken for user root and group wheel

Bruce Evans bde at zeta.org.au
Tue Feb 17 19:19:03 PST 2004 

User root and group wheel cannot get standard error handling for malloc()
even if they specifically asked for it using MALLOC_OPTIONS=a or
equivalent.  This was broken in rev.1.73 of malloc.c.  Fix:

%%%
Index: malloc.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdlib/malloc.c,v
retrieving revision 1.84
diff -u -2 -r1.84 malloc.c
--- malloc.c	28 Nov 2003 18:03:22 -0000	1.84
+++ malloc.c	16 Feb 2004 18:38:36 -0000
@@ -411,5 +411,5 @@
     const char *p;
     char b[64];
-    int i, j;
+    int i, j, malloc_a;
     int save_errno = errno;

@@ -420,4 +420,5 @@
 #endif /* MALLOC_EXTRA_SANITY */

+    malloc_a = 0;
     for (i = 0; i < 3; i++) {
 	if (i == 0) {
@@ -438,6 +439,6 @@
 		case '>': malloc_cache   <<= 1; break;
 		case '<': malloc_cache   >>= 1; break;
-		case 'a': malloc_abort   = 0; break;
-		case 'A': malloc_abort   = 1; break;
+		case 'a': malloc_abort   = 0; malloc_a = 1; break;
+		case 'A': malloc_abort   = 1; malloc_a = 0; break;
 #if defined(MADV_FREE)
 		case 'h': malloc_hint    = 0; break;
@@ -469,9 +470,16 @@

     /*
-     * Sensitive processes, somewhat arbitrarily defined here as setuid,
-     * setgid, root and wheel cannot afford to have malloc mistakes.
+     * Sensitive processes, somewhat arbitrarily defined here as setuid
+     * and setgid ones, cannot afford to have malloc mistakes.
      */
-    if (issetugid() || getuid() == 0 || getgid() == 0)
-	    malloc_abort = 1;
+    if (issetugid())
+	malloc_abort = 1;
+
+    /*
+     * Also, abort on malloc mistakes for root and wheel unless the user
+     * has explicitly asked not to.
+     */
+    if (malloc_a == 0 && (getuid() == 0 || getgid() == 0))
+	malloc_abort = 1;

     UTRACE(0, 0, 0);
%%%

Related unfixed bugs:
- the special handling for sensitive processes is not documented in malloc.3.
- the special handling for sensitive processes doesn't work in all cases.
  Processes may become sensitive after malloc() has been initialized.
- the special handling for sensitive processes is not in RELENG_4.  This is
  only a bug if the special handling is not a bug.

Bruce

More information about the freebsd-current mailing list