Bug ID: 22852
Summary: Thread stack and heap caches
Assignee: unassigned at sourceware dot org
Reporter: blackzert at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
In current implementation for any thread created with pthread_create glibc will
create a new heap after the first malloc call from context of this thread.
GNU Libc have special caches to keep stacks of finished threads and there's
heaps. This caches allow glibc make faster creation of threads and its heaps.
On any call to pthread_create or malloc from thread glibc first checks
appropriated caches in hope to find already mmaped regions. And if find any use
The problem here is this behaviour totally breaks ASLR - if attacker can leak
address of ended thread stack or heap, he can use this address later in any
vulnerability in hope to get the same stack region / heap memory region and
successfully exploit application.
Current kernel implementation of ASLR is going to be improved I hope. I
prepared patches which will random addresses returned by kernel on any mmap.