Remove an unneeded and incorrect memset().

On Variant I TLS architectures (aarch64, arm, mips, powerpc, and riscv) the __libc_allocate_tls function allocates thread local storage memory with calloc(). It then copies initialization data over the portions with non-zero initial values. Before this change it would then pointlessly zero the already zeroed remainder of the storage. Unfortunately the calculation was wrong and it would zero TLS_TCB_SIZE (2*sizeof(void *)) additional bytes. In practice, this overflow only matters if the TLS segment is sized such that calloc() allocates a less than TLS_TCB_SIZE extra memory. Even then, the likely result will be zeroing part of the next bucket. This coupled with the impact being confined to Tier II platforms means there will be no security advisory for this issue. Reviewed by: kib, dfr Discussed with: security-officer (delphij) MFC after: 1 week Found by: CHERI Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D12547
2017-10-03 22:57:19 +00:00 · 2017-10-03 22:57:19 +00:00 · 5e12225140
commit 5e12225140
parent 780dc32b31
1 changed files with 0 additions and 3 deletions
--- a/lib/libc/gen/tls.c
+++ b/lib/libc/gen/tls.c
@ -160,9 +160,6 @@ __libc_allocate_tls(void *oldtcb, size_t tcbsize, size_t tcbalign __unused)

 		if (tls_init_size > 0)
 			memcpy((void*)dtv[2], tls_init, tls_init_size);
-		if (tls_static_space > tls_init_size)
-			memset((void*)(dtv[2] + tls_init_size), 0,
-			    tls_static_space - tls_init_size);
 	}

 	return(tcb);