Bug#213994: Consider including this patch too [[ANNOUNCE] glibc heap protection patch]

To: Javier Fernández-Sanguino Peña <jfs@computer.org>, 213994@bugs.debian.org
Subject: Bug#213994: Consider including this patch too [[ANNOUNCE] glibc heap protection patch]
From: Daniel Jacobowitz <dan@debian.org>
Date: Wed, 3 Dec 2003 11:32:35 -0500
Message-id: <[🔎] 20031203163235.GA26636@nevyn.them.org>
Reply-to: Daniel Jacobowitz <dan@debian.org>, 213994@bugs.debian.org
In-reply-to: <[🔎] 20031202091541.GA21429@dat.etsit.upm.es>
References: <[🔎] 20031202091541.GA21429@dat.etsit.upm.es>

On Tue, Dec 02, 2003 at 10:15:41AM +0100, Javier Fernández-Sanguino Peña wrote:
> This patch has been recently announced in bugtraq and might be also 
> relevant.

This is a glibc patch, not a gcc patch.

Also, their approach is dubiously effective, it has non-negligible
performance impact, and they distinctly did not provide information
about the memory overhead (which can be substantial).  I would need a
lot more testing and a lot more analysis before considering such a
thing.

> Aside from providing these patches at debian/patches, is there any way they 
> could be applied to the stock gcc-3.3 package? As I understand it, in order 
> for these to be activated sources need to be compiled with an explicit 
> option. What harm is there in patching Debian's gcc-3.3? Any known issues 
> in some of our supported platforms?

They're large patches, with no testing on most architectures.  They
touch platform independent code.  If it really did do nothing without
the option, and we were convinced of that, then maybe they could be
applied - I'm not convinced.

> 
> Regards
> 
> Javi
> 
> 
> -------- Original Message --------
> Subject: [ANNOUNCE] glibc heap protection patch
> Date: Mon, 1 Dec 2003 11:31:03 -0800
> From: William Robertson <wkr@cs.ucsb.edu>
> To: sectools@securityfocus.com, bugtraq@securityfocus.com, 
> focus-ids@securityfocus.com
> 
> Hi all,
> 
> I'd just like to announce that we have a heap protection system for
> glibc available for download. The system detects and prevents all heap
> overflow exploits that modify inline control information from
> succeeding against a protected application, can be installed
> system-wide or on a per-process basis using LD_PRELOAD, and is
> transparent to existing applications.
> 
> We would definitely appreciate any feedback and bug reports on the
> code. The patch and some additional information is available at:
> 
> http://www.cs.ucsb.edu/~wkr/projects/heap_protection/
> 
> Enjoy!
> 
> --
> William Robertson
> Reliable Software Group, UC Santa Barbara
> http://www.cs.ucsb.edu/~wkr/



-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer

Reply to:

References:
- Bug#213994: Consider including this patch too [[ANNOUNCE] glibc heap protection patch]
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: [Bug optimization/12576] [3.3 regression] miscompilation of ide-scsi linux kernel driver
Next by Date: [Bug c++/12726] [3.3.2/3.4 regression] ICE (segfault) on trivial code
Previous by thread: Bug#213994: Consider including this patch too [[ANNOUNCE] glibc heap protection patch]
Next by thread: Bug#213994: Consider including this patch too [[ANNOUNCE] glibc heap protection patch]
Index(es):
- Date
- Thread